Date: Sun, 7 Nov 2004 20:08:08 +0200 From: Marko Raiha <mjraiha@fade.pp.fi> To: freebsd-current@freebsd.org Subject: DEVFS ruleset misbehaves with Jail Message-ID: <20041107180808.GA89550@daemon.adsl.kpnqwest.fi>
next in thread | raw e-mail | index | archive | help
Hi, Although this concerns only stable release with me, I mail this to freebsd-current because I guess this propably concerns also current and should then MFCd to STABLE. I have configured jails with RELEN_5_3 and there seems to be some odd behaviour when using devfs rulesets with jails. Jails do run wonderfully, but devfs rulesets aren't. I have this kind of setup in /etc/rc.conf: # base system /etc/rc.conf jail settings: # Jails jail_enable="YES" jail_list="mail" jail_set_hostname_allow="NO" jail_mail_rootdir="/jail/mail" jail_mail_hostname="mail.example.domain" jail_mail_ip="192.168.42.42" jail_mail_exec="/bin/sh /etc/rc" jail_mail_devfs_enable="YES" jail_mail_devfs_ruleset="4" When starting jails with "/etc/rc.d/jail start"-command I get this error: WARNING devfs_set_ruleset: you must specify a ruleset number Jail is started without ruleset 4 defined in /etc/default/devfs.rules. So, all devices are seen inside /jail/mail/dev. If this can be repeated and confirmed to be true and not my misconfiguration then this is clearly a security risk with jails. devfs_set_ruleset -function is found in file /etc/rc.subr on lines 1192-1209 (FreeBSD: src/etc/rc.subr,v 1.31 2004/07/30 17:19:35 mtm Exp). It seems that in line 1195 script evaluates ruleset incorrectly as empty one. I am not familiar with rc-scripts but I tried this simple fix with success: fortytwo# diff -u /etc/rc.subr-old /etc/rc.subr-new @@ -1192,7 +1192,7 @@ devfs_set_ruleset() { local devdir rs _me - [ -n "$1" ] && eval rs=\$$1 || rs= + [ -n "$1" ] && eval rs=\$1 || rs= [ -n "$2" ] && devdir="-m "$2"" || devdir= _me="devfs_set_ruleset" I am not sure whether bug is in this function or caller giving wrong type of parameter. I would appreciate it if someone rc-script wizard would check this and make proper repair. Regards, -- Marko Räihä
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041107180808.GA89550>