Thanks Henrik...
I read the link as well as the {prev} page from said link. And then googled the author. OT: I can't beleive the author was in 9th grade when he wrote the article. I am completely amazed and envious
http://www.samag.com/documents/s=1151/sam0105d/0105d.htm
...anyway
I made the change to the HOST sysctl.conf.
security.jail.sysvipc_allowed=1
Current sysctl.conf for HOST system
Uncomment this to prevent users from seeing information about processes that
are being run under another UID.
security.bsd.see_other_uids=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.check_interface=1 net.inet.tcp.recvspace=32768 net.inet.tcp.sendspace=32768 net.inet.tcp.syncookies=0 net.inet.icmp.bmcastecho=0 net.inet.icmp.maskrepl=0 net.inet.icmp.icmplim=200 security.jail.sysvipc_allowed=1 security.jail.allow_raw_sockets=1 kern.ipc.shmmax=536870912
%sysctl -A -d |grep jail {listing human readable desc} security.jail.set_hostname_allowed:Processes in jail can set their hostnames security.jail.socket_unixiproute_only:Processes in jail are limited to creating UNIX/IPv4/route sockets only security.jail.sysvipc_allowed:Processes in jail can use System V IPC primitives security.jail.enforce_statfs:Processes in jail cannot see all mounted file systems security.jail.allow_raw_sockets:Prison root can create raw sockets security.jail.chflags_allowed:Processes in jail can alter system file flags security.jail.list:List of active jails security.jail.jailed:Process in jail?
%sysctl -A | grep jail security.jail.set_hostname_allowed:1 security.jail.socket_unixiproute_only:1 security.jail.sysvipc_allowed:1 security.jail.enforce_statfs:2 security.jail.allow_raw_sockets:1 security.jail.chflags_allowed:0 security.jail.list:Format:S Length:2584 Dump:0x01000000020000002f7573722f6a6169... security.jail.jailed:0
hobbitd now loads and website appears functional. I haven't yet configured any host systems.
Aside from the obvious "Processes in jail can use System V IPC primitives", what does this mean in terms of security. I understand that should a jail get hacked, the hacker can use system V IPC primitives. How and to what extent?
Thanks so much for your help
Don