jails Possible Bug with jexec Usage in Combo with Jails and Firefox

[BawdyAnarchist]

Ok this is going to be a long one and I REALLY need the mods and smart guys on here to read this, because I think this is a bug, I just don't know with what exactly. I'll try to be as brief as possible but as descriptive as necessary.

Description

I have a set of GUI jails connected to the /tmp/.X11-unix socket. I mostly try to stay with Falkon as a browser, but unfortunately it's not always possible (damn you reddit). For the first time recently, I wanted to run two instances of Firefox simultaneously in different jails, and hit a problem.

With Firefox already running in jail "social" , I tried to launch another instance in a jail called "browsing". All of the user accounts in my jails are just called "user", and my host is "root@dom0"

root@dom0:~ # jexec -l -U user browsing csh -c firefox
*note: I don't know another way to launch an X11 program with jexec without using 'csh -c' to do it.

But the Firefox window which pops up, is not from the jail "browsing", but from the jail "social". Whichever jail launches the first instance of Firefox will continue to launch Firefox, even if I do the following:

root@dom0:~ # jexec -l -U user browsing csh
user@browsing:~ % firefox

or even if I try this:

root@dom0:~ # jexec -l -U user browsing csh -c xterm
[xterm window pops up]
user@browsing:~ % firefox

If I specify the root user for the jail, Firefox will launch correctly; HOWEVER, if I open a 3rd jail and try to launch with the root user or "user" user, same bug.

Conclusions?
Ok so this seems to have something to do with having the same user name across jails, in combintation with the way Firefox launches, and quite likely somehow tied in to the shared .X11-unix socket. However, I can't rule out jexec as having some culpability here, as it ought to be launching applications in the correct jail, although maybe some FreeBSD devs would say that sharing the .X11 socket is bound to cause these issues. I am but a script kiddie, not a dev, so please forgive my ignorance.

Workarounds
The obvious is to stop calling the unprivileged user "user" in my jails, and name them probably after the jail itself. Okay I have some really cool shell scripts for controlling jails that will need to be reworked, and there will be a loss of convenience and added complexity for my really awesome scripts that do things like automate jail creation/deletion, and create temporary disposable jails.

Smart guys, what do you think? Bug or not?

 

[genneko]

Hi, I'm not an expert at all but I've seen a similar behavior when playing with jails and X apps.
Maybe you can try adding --no-remote option to firefox.

Some links in no particular order:

How To: Execute Firefox in a jail using iocage and ssh/jailme

Motivations The main reason to put a browser in a jail is quite simple : browsers cannot be trusted. They are too much exposed. Executing a browser inside a jail is a way to be sure that the damages induced by a malicious software are contained (as much as possible). I decided to write this...

forums.freebsd.org

Starting firefox on a remote host (over ssh) opens a new window locally: what is happening?

I have never noticed this behaviour before, and am a little confused as to what is happening. I have a local copy of firefox running, then ssh (ssh -X <url>) into a remote server and start a...

unix.stackexchange.com

Firefox with X11 Forwarding is not working

I cannot open firefox via ssh: I've tried with: ssh -vvv -X user@192.168.40.21 But it outputs: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive pac...

unix.stackexchange.com

 

[SirDice]

I've gotta say, it's pretty annoying to need help with something that has crickets for answers. I don't even have hardly any views on this post

Four days, have a little more patience.

and so I tried to repost, to get some more views at maybe a better day of week, and yall deleted my post.

Rule #10: https://forums.freebsd.org/threads/freebsd-forums-rules.38922/

So yeah, thanks alot admin(s) for deleting my post and not responding, recommending, or referencing ANYTHING at all

Some of the reasons why you may not get a response on a forum (any forum, not just here):

• Nobody understands your issue and thus cannot provide answers
• The person(s) that may have an answer hasn't seen your post yet. Not everyone is here 24/7, some people only swing by once a week or even less.
• Topic not descriptive enough so it's skipped when viewing unread threads.
• Worst reason of all, but it does happen, nobody cares enough about your issue to respond.

In case it's not clear, those are generic reasons why a post may receive little attention on any kind of forum. They're not specifically targeted at you or this post in particular.

 

[BawdyAnarchist]

Hi, I'm not an expert at all but I've seen a similar behavior when playing with jails and X apps.
Maybe you can try adding --no-remote option to firefox.

Some links in no particular order:

How To: Execute Firefox in a jail using iocage and ssh/jailme

Motivations The main reason to put a browser in a jail is quite simple : browsers cannot be trusted. They are too much exposed. Executing a browser inside a jail is a way to be sure that the damages induced by a malicious software are contained (as much as possible). I decided to write this...

forums.freebsd.org

Starting firefox on a remote host (over ssh) opens a new window locally: what is happening?

I have never noticed this behaviour before, and am a little confused as to what is happening. I have a local copy of firefox running, then ssh (ssh -X <url>) into a remote server and start a...

unix.stackexchange.com

Firefox with X11 Forwarding is not working

I cannot open firefox via ssh: I've tried with: ssh -vvv -X user@192.168.40.21 But it outputs: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive pac...

unix.stackexchange.com

Thank you!! Yes that worked.

 

[BawdyAnarchist]

Four days, have a little more patience.


Rule #10: https://forums.freebsd.org/threads/freebsd-forums-rules.38922/



Some of the reasons why you may not get a response on a forum (any forum, not just here):

• Nobody understands your issue and thus cannot provide answers
• The person(s) that may have an answer hasn't seen your post yet. Not everyone is here 24/7, some people only swing by once a week or even less.
• Topic not descriptive enough so it's skipped when viewing unread threads.
• Worst reason of all, but it does happen, nobody cares enough about your issue to respond.

In case it's not clear, those are generic reasons why a post may receive little attention on any kind of forum. They're not specifically targeted at you or this post in particular.

Yes I apologize if I was a bit impatient. My last post before this also got zero replies and low views. And a couple posts before that about PEFS revealed no useful solution either, and the PEFS guys never emailed me back.

I was starting to feel pretty much without any support to help troubleshoot problems.

 

[tingo]

I was starting to feel pretty much without any support to help troubleshoot problems.

It is vital to understand that you (as in: everyone who participates) get what you pay for with community-driven, open source projects: no guarantees. You might get support from the community, or you might not, depending on a lot of factors. You might also be the first one to stumble over a problem, in that case nobody will have a "ready answer" for you, and you will have to put in a lot more effort and time figuring out the problem / describing the symptoms / trying out a lot of different things in hope of a solution.

 

[BawdyAnarchist]

It is vital to understand that you (as in: everyone who participates) get what you pay for with community-driven, open source projects: no guarantees. You might get support from the community, or you might not, depending on a lot of factors. You might also be the first one to stumble over a problem, in that case nobody will have a "ready answer" for you, and you will have to put in a lot more effort and time figuring out the problem / describing the symptoms / trying out a lot of different things in hope of a solution.

Yeah I understand that. I know FreeBSD is a different animal than most OSes. Which is why I contacted mods, tried to repost, etc. And trust me, I did spend some time trying to make sure I understood exactly when/how the problem was being caused.

 

[SirDice]

Which is why I contacted mods

You seem to misunderstand the function of a forum moderator. Moderators keep forums clean and pleasant. They're not "on-call" engineers you can always contact with technical issues.

Internet forum - Wikipedia

en.wikipedia.org

 

[richardtoohey2]

I know FreeBSD is a different animal than most OSes

I don't get this - these days I use a mix of Linux, Windows, FreeBSD, OpenBSD, Android, iOS, and MacOSX.

They all have users, processes, threads, user interface, security, privilege models, TCP/IP networking, configuration settings. They all have resources to manage (storage, RAM, CPUs). They work on a fairly limited range of hardware devices (Intel/ARM) - as in I can install Windows, or OpenBSD, or FreeBSD, or Linux on the same desktop or laptop PC, and if I go whole hog and install GUIs I can probably make them appear very similar to operate.

The same programs can run on most of those platforms - Firefox, Thunderbird, Apache, MySQL, etc.

They might have different labels for the same things (especially when via marketing!) but at the bottom they are quite similar. Some do some things better, some have different goals, not every problem is a nail so a hammer isn't always the right tool for a job.

The BSDs don't have as much resource (as in developers and $$$s) as Linux and Windows so yes, you might need to do a bit more searching or R&D yourself, if that's what you mean.

 

[BawdyAnarchist]

Yes, that is what I mean. Post some oddity like this in Ubuntu forums, and there will be fast responses for help. I try not to reach out here unless I am truly stuck, and have spent at least a few hours (often days) trying to figure out my own answer. I read the man pages multiple times over, purchased and read Michael Lucas' books, search the forums and search engines.

I'm not a dev, not a coder, although I am getting pretty decent at scripting, and have nearly 2000 lines of shell script for controlling jails and doing some really cool emulation of Qubes concepts.

FreeBSD is a bit different though, at least when it comes to jails, and doing creative things inside of jails (like nullfs mounting multiple jails to the .X11-unix socket). There are a few good guides for doing so (which I have read and followed), but it's just that, there are *few* guides for that specific thing. And while I'm becoming relatively capable at operating Unix, I am still learning and there's a ton of stuff I don't know.

 

[BawdyAnarchist]

You seem to misunderstand the function of a forum moderator. Moderators keep forums clean and pleasant. They're not "on-call" engineers you can always contact with technical issues.

Internet forum - Wikipedia

en.wikipedia.org

I never thought that. What I thought was "gee, 2 out of 3 of my last posts got zero, or nearly zero attention. This last one looks particularly interesting, maybe even a bug. I sure would like to try and get some extra visibility. Perhaps posting at 11pm on a Friday night, or maybe my title was not the best, is why it received very few views before becoming buried by more recent posts. Perhaps the mods can help me get more visibility. I really could use some help, or a reference or something, before I consider posting to bugzilla."

 

[SirDice]

Perhaps posting at 11pm on a Friday night, or maybe my title was not the best, is why it received very few views before becoming buried by more recent posts.

I honestly can't tell why it received so little attention. We can't force anyone to read anything. Heck, we have a whole bunch of rules new users should read but everyone seems to ignore those too. Much like license agreements, everyone just hits continue.