From owner-freebsd-jail@FreeBSD.ORG Mon Apr 5 11:07:04 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5E271065678 for ; Mon, 5 Apr 2010 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C4B268FC2E for ; Mon, 5 Apr 2010 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o35B74FC027852 for ; Mon, 5 Apr 2010 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o35B73IF027850 for freebsd-jail@FreeBSD.org; Mon, 5 Apr 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Apr 2010 11:07:03 GMT Message-Id: <201004051107.o35B73IF027850@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total. From owner-freebsd-jail@FreeBSD.ORG Tue Apr 6 19:36:24 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 006191065672 for ; Tue, 6 Apr 2010 19:36:24 +0000 (UTC) (envelope-from anecia2ssisneyuly@hotmail.com) Received: from snt0-omc3-s35.snt0.hotmail.com (snt0-omc3-s35.snt0.hotmail.com [65.55.90.174]) by mx1.freebsd.org (Postfix) with ESMTP id C92F98FC17 for ; Tue, 6 Apr 2010 19:36:23 +0000 (UTC) Received: from SNT105-DS20 ([65.55.90.136]) by snt0-omc3-s35.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2010 12:24:22 -0700 X-Originating-IP: [86.101.66.98] X-Originating-Email: [anecia2ssisneyuly@hotmail.com] Message-ID: From: Yang, Dillon Q. To: Date: Tue, 06 Apr 2010 23:22:12 +0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8064.206 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8064.206 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: binary X-OriginalArrivalTime: 06 Apr 2010 19:24:22.0889 (UTC) FILETIME=[C3331D90:01CAD5BE] Subject: 2.5% daily for 200 days without any risk. X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2010 19:36:24 -0000 Hi freebsd-jail@freebsd.org, I wanna tell you about a very solid investment I participate in since five month. I made 510% profit by now. This is a Hong Kong traders company, active on stock, derivatives, and Forex markets. Their performance is very consistent, they make up to 3% daily and they pay its members up to 2.5% each day. HYt fund is absolutely transparent, showing their trading data and offering phone, chat, and email support to its members. I am sure they are the the group to stay with in 2010. Check them out: http://texugauto.com/jjwk634p From owner-freebsd-jail@FreeBSD.ORG Tue Apr 6 21:40:43 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9724F106566B; Tue, 6 Apr 2010 21:40:43 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 610F08FC16; Tue, 6 Apr 2010 21:40:43 +0000 (UTC) Received: by pwi9 with SMTP id 9so416902pwi.13 for ; Tue, 06 Apr 2010 14:40:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=65eCvkwBuLxK2jvSRxoMjrgVm1+Pz2XSydz+YfMS9t0=; b=rcxvIINBhQspxU0hmZMte23LhxTq1uiJSmt35IwWEmyyL6s2AW3XQAB7Z+mEzY6GhS ealCsbjdgyBonpvNPBpnDK6/eirzz38IB77TWDig6XcGwuaW2TyDIe+bMu/ZE5Ma/wzS tzBZMLRWIzWoiYUJR/krWcqHJBvjImjR1WTZw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=JkAkscKkpXFpH/fG9kHlcCWiA/t2eFTykFi1ueWp1grrpk5YnIezBzbIz853uQAEoq kFvCQc29SpxJeM2LmBcRRInAsVu5yFCHq7bOnBCeZAjVNAGOZ/r7NTojtZRiXX0mZbno uLRsCi0c9HlSZUsMl/xPS87zKdn394jhFFOPQ= Received: by 10.140.57.7 with SMTP id f7mr6346549rva.201.1270590042847; Tue, 06 Apr 2010 14:40:42 -0700 (PDT) Received: from orion.hsd1.pa.comcast.net (c-71-230-240-241.hsd1.pa.comcast.net [71.230.240.241]) by mx.google.com with ESMTPS id p1sm5113361rvq.16.2010.04.06.14.40.38 (version=SSLv3 cipher=RC4-MD5); Tue, 06 Apr 2010 14:40:39 -0700 (PDT) Date: Tue, 6 Apr 2010 17:37:11 -0400 From: Glen Barber To: Dan Naumov Message-ID: <20100406213711.GA38637@orion.hsd1.pa.comcast.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-jail@freebsd.org, freebsd-questions@freebsd.org Subject: Re: bizarre mount_nullfs issue with jails / ezjail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2010 21:40:43 -0000 Hi Dan, Dan Naumov wrote: > So, I want the basejail to only contain the world and link the ports > tree from the host into each individual jail when it's time to update > the ports inside them, but I am running into a bit of a bizarre issue: > I can mount_nullfs /usr/ports elsewhere on the host just fine, but it > doesn't work if I try to mount_nullfs it to /usr/ports inside the > jail: > > mount_nullfs /usr/ports/ /usr/ports2 > > df -H | grep ports > cerberus/usr-ports 34G 241M 34G 1% /usr/ports > cerberus/usr-ports-distfiles 34G 0B 34G 0% > /usr/ports/distfiles > cerberus/usr-ports-packages 34G 0B 34G 0% > /usr/ports/packages > /usr/ports 34G 241M 34G 1% /usr/ports2 > > mount | grep ports > cerberus/usr-ports on /usr/ports (zfs, local) > cerberus/usr-ports-distfiles on /usr/ports/distfiles (zfs, local) > cerberus/usr-ports-packages on /usr/ports/packages (zfs, local) > /usr/ports on /usr/ports2 (nullfs, local) > > mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports > mount_nullfs: /basejail: No such file or directory > > What is going on here? I also note that the error actually wants a > /basejail on the host, which is even more bizarre: > > mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports > mount_nullfs: /basejail: No such file or directory > > mkdir /basejail > > mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports > mount_nullfs: /basejail/usr: No such file or directory > > Yet, this works: > > mkdir /usr/jails/semipublic/test > mount_nullfs /usr/ports/ /usr/jails/semipublic/test > umount /usr/jails/semipublic/test > > Any ideas? > > The ports directory in an ezjail is a link to /basejail/usr/ports (in the jail). Breaking the link (from the host) allows the mount to work successfully. orion# ll usr/ports lrwxr-xr-x 1 root wheel 19 Mar 8 18:06 usr/ports -> /basejail/usr/ports orion# unlink usr/ports orion# mkdir usr/ports orion# mount_nullfs /usr/ports usr/ports orion# Regards, -- Glen Barber From owner-freebsd-jail@FreeBSD.ORG Tue Apr 6 21:43:13 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D136C1065670; Tue, 6 Apr 2010 21:43:13 +0000 (UTC) (envelope-from dan.naumov@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id 3056F8FC23; Tue, 6 Apr 2010 21:43:12 +0000 (UTC) Received: by bwz8 with SMTP id 8so342921bwz.3 for ; Tue, 06 Apr 2010 14:43:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=qK39l1quqNqKt2f/0vPEn9SLhzQZLUVmE/3BDGdhN1I=; b=Nu+Yem6kwNG0MvFcA1rB4YqStagNHYdPjFaOncBc07qYUQ2kc8HneqBVXxe/l3Tm85 frwA+dBZ3A0nhq6GTzbJmFNQmTf+ZUYEsn1HKYVujqAK7CZfNrLJI/ISjHdp57/JWkHO TKyB+4Iv7uBstE8sxFP2q3LtFCcJZ8OodDVEo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=b4Uhnr0OohuB+uSv1McFNfDVkgB2wlTG0NLyZ9F11sARSFznKA7davU4e5Bz2KnmLw g6crkSXeKfspYpN1hDl6iO76iza+m4sQRCbe+E6hdD2vacA246eZUUKv59eZZF9Hehx2 fGZrvfwxZ2TXPgiXJKr940DABh9WvpOtez+S0= MIME-Version: 1.0 Received: by 10.204.116.203 with HTTP; Tue, 6 Apr 2010 14:43:10 -0700 (PDT) In-Reply-To: <20100406213711.GA38637@orion.hsd1.pa.comcast.net> References: <20100406213711.GA38637@orion.hsd1.pa.comcast.net> Date: Wed, 7 Apr 2010 00:43:10 +0300 Received: by 10.204.6.66 with SMTP id 2mr8164279bky.138.1270590190796; Tue, 06 Apr 2010 14:43:10 -0700 (PDT) Message-ID: From: Dan Naumov To: Glen Barber Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-jail@freebsd.org, freebsd-questions@freebsd.org Subject: Re: bizarre mount_nullfs issue with jails / ezjail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2010 21:43:14 -0000 On Wed, Apr 7, 2010 at 12:37 AM, Glen Barber wrot= e: > Hi Dan, > > Dan Naumov wrote: >> So, I want the basejail to only contain the world and link the ports >> tree from the host into each individual jail when it's time to update >> the ports inside them, but I am running into a bit of a bizarre issue: >> I can mount_nullfs /usr/ports elsewhere on the host just fine, but it >> doesn't work if I try to mount_nullfs it to /usr/ports inside the >> jail: >> >> mount_nullfs /usr/ports/ /usr/ports2 >> >> df -H | grep ports >> cerberus/usr-ports =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A034G =A0 =A0241M =A0 = =A0 34G =A0 =A0 1% =A0 =A0/usr/ports >> cerberus/usr-ports-distfiles =A0 =A0 =A034G =A0 =A0 =A00B =A0 =A0 34G = =A0 =A0 0% >> /usr/ports/distfiles >> cerberus/usr-ports-packages =A0 =A0 =A0 34G =A0 =A0 =A00B =A0 =A0 34G = =A0 =A0 0% >> /usr/ports/packages >> /usr/ports =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A034G =A0 =A0241= M =A0 =A0 34G =A0 =A0 1% =A0 =A0/usr/ports2 >> >> mount | grep ports >> cerberus/usr-ports on /usr/ports (zfs, local) >> cerberus/usr-ports-distfiles on /usr/ports/distfiles (zfs, local) >> cerberus/usr-ports-packages on /usr/ports/packages (zfs, local) >> /usr/ports on /usr/ports2 (nullfs, local) >> >> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >> mount_nullfs: /basejail: No such file or directory >> >> What is going on here? I also note that the error actually wants a >> /basejail on the host, which is even more bizarre: >> >> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >> mount_nullfs: /basejail: No such file or directory >> >> mkdir /basejail >> >> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >> mount_nullfs: /basejail/usr: No such file or directory >> >> Yet, this works: >> >> mkdir /usr/jails/semipublic/test >> mount_nullfs /usr/ports/ /usr/jails/semipublic/test >> umount /usr/jails/semipublic/test >> >> Any ideas? >> >> > > The ports directory in an ezjail is a link to /basejail/usr/ports (in the > jail). > > Breaking the link (from the host) allows the mount to work successfully. > > orion# ll usr/ports > lrwxr-xr-x =A01 root =A0wheel =A019 Mar =A08 18:06 usr/ports -> /basejail= /usr/ports > orion# unlink usr/ports > orion# mkdir usr/ports > orion# mount_nullfs /usr/ports usr/ports > orion# > > Regards, > > -- > Glen Barber Thanks for the tip. An additional question: how come "sade" and "sysinstall" which are run inside the jail can see (and I can only assume they can also operate on and damage) the real underlying disks of the host? - Sincerely Dan Naumov From owner-freebsd-jail@FreeBSD.ORG Tue Apr 6 21:56:47 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F37D1065670 for ; Tue, 6 Apr 2010 21:56:47 +0000 (UTC) (envelope-from dan.naumov@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id 931958FC12 for ; Tue, 6 Apr 2010 21:56:46 +0000 (UTC) Received: by bwz8 with SMTP id 8so351955bwz.3 for ; Tue, 06 Apr 2010 14:56:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:received:message-id :subject:from:to:content-type; bh=4LMPqOrByWVSdWJx/of15oO+U5EdcaUXV3erGlZIrkY=; b=cqw0Ug0b3WuquPTURC2gPFfuTOmFVXVlGHw/G9ix7XZBPapBn2W57ZCm6pPd6J32+B NT13HyLbHwl+Dxj5ZWg17oeLVayJGi3DERkqlCxBEENlILq3RzLYPDBTnxXdkUJkcxDW eLkg6EJJaixghir0Fya+zIxampLRQtxo0FrZM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=gG3T0CpcncMFqR50zJJAoEnLS7pQG0zggKWgGpK0TJTKFUAzL5NpSBz6x8wahTUo3F GadeNqKG4fyFDcZPBw9nSPw4aPLGj/FfVaw5qAvUzOszXNYV2qTMh+Mkot3he6FX86oY pPlCSx1RH6+HB4D7CYU7OWJJ6QOG6CzLV7mmY= MIME-Version: 1.0 Received: by 10.204.116.203 with HTTP; Tue, 6 Apr 2010 14:29:54 -0700 (PDT) Date: Wed, 7 Apr 2010 00:29:54 +0300 Received: by 10.204.134.70 with SMTP id i6mr8336751bkt.74.1270589394468; Tue, 06 Apr 2010 14:29:54 -0700 (PDT) Message-ID: From: Dan Naumov To: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: bizarre mount_nullfs issue with jails / ezjail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2010 21:56:47 -0000 So, I want the basejail to only contain the world and link the ports tree from the host into each individual jail when it's time to update the ports inside them, but I am running into a bit of a bizarre issue: I can mount_nullfs /usr/ports elsewhere on the host just fine, but it doesn't work if I try to mount_nullfs it to /usr/ports inside the jail: mount_nullfs /usr/ports/ /usr/ports2 df -H | grep ports cerberus/usr-ports 34G 241M 34G 1% /usr/ports cerberus/usr-ports-distfiles 34G 0B 34G 0% /usr/ports/distfiles cerberus/usr-ports-packages 34G 0B 34G 0% /usr/ports/packages /usr/ports 34G 241M 34G 1% /usr/ports2 mount | grep ports cerberus/usr-ports on /usr/ports (zfs, local) cerberus/usr-ports-distfiles on /usr/ports/distfiles (zfs, local) cerberus/usr-ports-packages on /usr/ports/packages (zfs, local) /usr/ports on /usr/ports2 (nullfs, local) mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports mount_nullfs: /basejail: No such file or directory What is going on here? I also note that the error actually wants a /basejail on the host, which is even more bizarre: mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports mount_nullfs: /basejail: No such file or directory mkdir /basejail mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports mount_nullfs: /basejail/usr: No such file or directory Yet, this works: mkdir /usr/jails/semipublic/test mount_nullfs /usr/ports/ /usr/jails/semipublic/test umount /usr/jails/semipublic/test Any ideas? - Sincerely, Dan Naumov From owner-freebsd-jail@FreeBSD.ORG Tue Apr 6 23:18:34 2010 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60D461065678; Tue, 6 Apr 2010 23:18:33 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3E1698FC1C; Tue, 6 Apr 2010 23:18:33 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o36NIXEV049190; Tue, 6 Apr 2010 23:18:33 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o36NIX2C049186; Tue, 6 Apr 2010 23:18:33 GMT (envelope-from linimon) Date: Tue, 6 Apr 2010 23:18:33 GMT Message-Id: <201004062318.o36NIX2C049186@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/145444: [jail] sysinstall and sade can access host's disks from within a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2010 23:18:34 -0000 Old Synopsis: sysinstall and sade can access host's disks from within a jail New Synopsis: [jail] sysinstall and sade can access host's disks from within a jail Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Tue Apr 6 23:18:07 UTC 2010 Responsible-Changed-Why: Perhaps the folks on the jail mailing list can comment. http://www.freebsd.org/cgi/query-pr.cgi?pr=145444 From owner-freebsd-jail@FreeBSD.ORG Wed Apr 7 00:57:30 2010 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E93F1065670; Wed, 7 Apr 2010 00:57:30 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4447C8FC0A; Wed, 7 Apr 2010 00:57:30 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o370vU1L038280; Wed, 7 Apr 2010 00:57:30 GMT (envelope-from delphij@freefall.freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o370vUKa038276; Wed, 7 Apr 2010 00:57:30 GMT (envelope-from delphij) Date: Wed, 7 Apr 2010 00:57:30 GMT Message-Id: <201004070057.o370vUKa038276@freefall.freebsd.org> To: dan.naumov@gmail.com, delphij@FreeBSD.org, freebsd-jail@FreeBSD.org, secteam@FreeBSD.org From: delphij@FreeBSD.org Cc: Subject: Re: kern/145444: [jail] sysinstall and sade can access host's disks from within a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 00:57:30 -0000 Synopsis: [jail] sysinstall and sade can access host's disks from within a jail State-Changed-From-To: open->feedback State-Changed-By: delphij State-Changed-When: Wed Apr 7 00:55:02 UTC 2010 State-Changed-Why: Dear submitter, By default, FreeBSD applies a devfs rule called "jail" if the jail is being started with rc.d script /etc/rc.d/jail. Could you, please make sure that you are also using it this way? This issue sounds like a security vulnerability but I can not reproduce on my own system, so maybe it's just a misconfiguration... Thanks for brining this to our attention! Responsible-Changed-From-To: freebsd-jail->secteam Responsible-Changed-By: delphij Responsible-Changed-When: Wed Apr 7 00:55:02 UTC 2010 Responsible-Changed-Why: Take as secteam@. http://www.freebsd.org/cgi/query-pr.cgi?pr=145444 From owner-freebsd-jail@FreeBSD.ORG Wed Apr 7 03:49:13 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34CC61065672 for ; Wed, 7 Apr 2010 03:49:13 +0000 (UTC) (envelope-from spry@anarchy.in.the.ph) Received: from mail-pz0-f197.google.com (mail-pz0-f197.google.com [209.85.222.197]) by mx1.freebsd.org (Postfix) with ESMTP id 13A9D8FC22 for ; Wed, 7 Apr 2010 03:49:12 +0000 (UTC) Received: by pzk35 with SMTP id 35so548972pzk.3 for ; Tue, 06 Apr 2010 20:49:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.114.76.10 with HTTP; Tue, 6 Apr 2010 20:49:12 -0700 (PDT) In-Reply-To: References: <20100406213711.GA38637@orion.hsd1.pa.comcast.net> Date: Wed, 7 Apr 2010 11:49:12 +0800 Received: by 10.114.253.33 with SMTP id a33mr4328010wai.143.1270612152257; Tue, 06 Apr 2010 20:49:12 -0700 (PDT) Message-ID: From: Mars G Miro To: Dan Naumov Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-jail@freebsd.org, freebsd-questions@freebsd.org Subject: Re: bizarre mount_nullfs issue with jails / ezjail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 03:49:13 -0000 On Wed, Apr 7, 2010 at 5:43 AM, Dan Naumov wrote: > On Wed, Apr 7, 2010 at 12:37 AM, Glen Barber wr= ote: >> Hi Dan, >> >> Dan Naumov wrote: >>> So, I want the basejail to only contain the world and link the ports >>> tree from the host into each individual jail when it's time to update >>> the ports inside them, but I am running into a bit of a bizarre issue: >>> I can mount_nullfs /usr/ports elsewhere on the host just fine, but it >>> doesn't work if I try to mount_nullfs it to /usr/ports inside the >>> jail: >>> >>> mount_nullfs /usr/ports/ /usr/ports2 >>> >>> df -H | grep ports >>> cerberus/usr-ports =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A034G =A0 =A0241M =A0 = =A0 34G =A0 =A0 1% =A0 =A0/usr/ports >>> cerberus/usr-ports-distfiles =A0 =A0 =A034G =A0 =A0 =A00B =A0 =A0 34G = =A0 =A0 0% >>> /usr/ports/distfiles >>> cerberus/usr-ports-packages =A0 =A0 =A0 34G =A0 =A0 =A00B =A0 =A0 34G = =A0 =A0 0% >>> /usr/ports/packages >>> /usr/ports =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A034G =A0 =A024= 1M =A0 =A0 34G =A0 =A0 1% =A0 =A0/usr/ports2 >>> >>> mount | grep ports >>> cerberus/usr-ports on /usr/ports (zfs, local) >>> cerberus/usr-ports-distfiles on /usr/ports/distfiles (zfs, local) >>> cerberus/usr-ports-packages on /usr/ports/packages (zfs, local) >>> /usr/ports on /usr/ports2 (nullfs, local) >>> >>> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >>> mount_nullfs: /basejail: No such file or directory >>> >>> What is going on here? I also note that the error actually wants a >>> /basejail on the host, which is even more bizarre: >>> >>> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >>> mount_nullfs: /basejail: No such file or directory >>> >>> mkdir /basejail >>> >>> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >>> mount_nullfs: /basejail/usr: No such file or directory >>> >>> Yet, this works: >>> >>> mkdir /usr/jails/semipublic/test >>> mount_nullfs /usr/ports/ /usr/jails/semipublic/test >>> umount /usr/jails/semipublic/test >>> >>> Any ideas? >>> >>> >> >> The ports directory in an ezjail is a link to /basejail/usr/ports (in th= e >> jail). >> >> Breaking the link (from the host) allows the mount to work successfully. >> >> orion# ll usr/ports >> lrwxr-xr-x =A01 root =A0wheel =A019 Mar =A08 18:06 usr/ports -> /basejai= l/usr/ports >> orion# unlink usr/ports >> orion# mkdir usr/ports >> orion# mount_nullfs /usr/ports usr/ports >> orion# >> >> Regards, >> >> -- >> Glen Barber > > Thanks for the tip. > > An additional question: how come "sade" and "sysinstall" which are run > inside the jail can see (and I can only assume they can also operate > on and damage) the real underlying disks of the host? > Disks (as well as others you have in your host's /dev) aren't visible inside jails. > - Sincerely > Dan Naumov > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > --=20 cheers mars ----- From owner-freebsd-jail@FreeBSD.ORG Wed Apr 7 06:28:25 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C3DD1065676; Wed, 7 Apr 2010 06:28:25 +0000 (UTC) (envelope-from dan.naumov@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id AF4408FC14; Wed, 7 Apr 2010 06:28:24 +0000 (UTC) Received: by bwz8 with SMTP id 8so554740bwz.3 for ; Tue, 06 Apr 2010 23:28:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=7Bw2Qb09NoH4aAyyWzNZ9J2iEV6s8mcrH6anjY65V0E=; b=tU5uXp300+g5hbMrBUlAxXyZnM6AauBXwrngGUvzV8IhwPkH/T/HtHU+hP/DdYfc5+ C6txdQ47/sBxPGKLrJNxmpNDO2ZZKWhOL/0TNenfDVxAwKnIVNo6UsV4fKUCUmnpsVhR 6LTuUPk61h7TMKx2HSrej3xdrmmTw2R/cCkIY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ASNpWA+PMOAsjqm0bfyiFcwVWxW6ZjMiZ/nZ/ubDlgcy+ZiVmj1fllxmJt73iXciI3 fP8Nzh6mX9td5EnFUj0QvaghqeZPzWSHh4hX1TP6YrHFCvbEvKoosXK/GLC0KfIBzslz Co1VDn7q1uYU5b9/BxV2Ebcemf8BZH+1GyVy4= MIME-Version: 1.0 Received: by 10.204.116.203 with HTTP; Tue, 6 Apr 2010 23:28:23 -0700 (PDT) In-Reply-To: References: <20100406213711.GA38637@orion.hsd1.pa.comcast.net> Date: Wed, 7 Apr 2010 09:28:23 +0300 Received: by 10.204.7.201 with SMTP id e9mr562183bke.122.1270621703621; Tue, 06 Apr 2010 23:28:23 -0700 (PDT) Message-ID: From: Dan Naumov To: Mars G Miro Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-jail@freebsd.org, freebsd-questions@freebsd.org Subject: Re: bizarre mount_nullfs issue with jails / ezjail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 06:28:25 -0000 >> An additional question: how come "sade" and "sysinstall" which are run >> inside the jail can see (and I can only assume they can also operate >> on and damage) the real underlying disks of the host? >> > > Disks (as well as others you have in your host's /dev) aren't visible > inside jails. Well, somehow they are on my system. I guess I should've also clarified that the jail was installed using ezjail and not completely manually >From /usr/local/etc/ezjail/semipublic export jail_semipublic_devfs_enable="YES" export jail_semipublic_devfs_ruleset="devfsrules_jail" - Sincerely, Dan Naumov From owner-freebsd-jail@FreeBSD.ORG Wed Apr 7 06:43:13 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3ED4E106566C; Wed, 7 Apr 2010 06:43:13 +0000 (UTC) (envelope-from spry@anarchy.in.the.ph) Received: from mail-pz0-f197.google.com (mail-pz0-f197.google.com [209.85.222.197]) by mx1.freebsd.org (Postfix) with ESMTP id 156CC8FC0C; Wed, 7 Apr 2010 06:43:12 +0000 (UTC) Received: by pzk35 with SMTP id 35so614479pzk.3 for ; Tue, 06 Apr 2010 23:43:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.114.76.10 with HTTP; Tue, 6 Apr 2010 23:43:11 -0700 (PDT) In-Reply-To: References: <20100406213711.GA38637@orion.hsd1.pa.comcast.net> Date: Wed, 7 Apr 2010 14:43:11 +0800 Received: by 10.114.22.5 with SMTP id 5mr2777386wav.51.1270622591786; Tue, 06 Apr 2010 23:43:11 -0700 (PDT) Message-ID: From: Mars G Miro To: Dan Naumov Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-jail@freebsd.org, freebsd-questions@freebsd.org Subject: Re: bizarre mount_nullfs issue with jails / ezjail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 06:43:13 -0000 On Wed, Apr 7, 2010 at 2:28 PM, Dan Naumov wrote: >>> An additional question: how come "sade" and "sysinstall" which are run >>> inside the jail can see (and I can only assume they can also operate >>> on and damage) the real underlying disks of the host? >>> >> >> Disks (as well as others you have in your host's /dev) aren't visible >> inside jails. > > Well, somehow they are on my system. > > I guess I should've also clarified that the jail was installed using > ezjail and not completely manually > > From /usr/local/etc/ezjail/semipublic > > export jail_semipublic_devfs_enable="YES" > export jail_semipublic_devfs_ruleset="devfsrules_jail" > Well I'm not entirely familiar w/ ezjail but I use jails all the time, and I can tell you that /dev in jails is very limited, here's a /dev jail of mine: mars@spry9:~> ls -al /dev/ total 2 crw-rw-rw- 1 root wheel 0, 58 Mar 27 03:02 crypto dr-xr-xr-x 2 root wheel 512 Mar 27 03:12 fd dr-xr-xr-x 2 root wheel 512 Mar 30 20:00 iso9660 lrwxr-xr-x 1 root wheel 14 Mar 27 03:12 log -> ../var/run/log crw-rw-rw- 1 root wheel 0, 33 Apr 7 14:33 null crw-rw-rw- 1 root wheel 0, 7 Mar 27 03:02 ptmx dr-xr-xr-x 2 root wheel 512 Mar 27 03:22 pts crw-rw-rw- 1 root wheel 0, 10 Mar 27 11:12 random lrwxr-xr-x 1 root wheel 4 Mar 27 03:12 stderr -> fd/2 lrwxr-xr-x 1 root wheel 4 Mar 27 03:12 stdin -> fd/0 lrwxr-xr-x 1 root wheel 4 Mar 27 03:12 stdout -> fd/1 lrwxr-xr-x 1 root wheel 6 Mar 27 03:12 urandom -> random crw-rw-rw- 1 root wheel 0, 34 Mar 27 03:02 zero mars@spry9:~> So I guess it's a configuration issue w/ your jails. > - Sincerely, > Dan Naumov > -- cheers mars ----- From owner-freebsd-jail@FreeBSD.ORG Wed Apr 7 07:20:20 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E089106566B for ; Wed, 7 Apr 2010 07:20:20 +0000 (UTC) (envelope-from aiza21@comclark.com) Received: from avmxsmtp1.comclark.com (avmxsmtp1.comclark.com [202.69.191.115]) by mx1.freebsd.org (Postfix) with ESMTP id 03F1A8FC15 for ; Wed, 7 Apr 2010 07:20:19 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnkWAKbMu0vKRa7iPGdsb2JhbAAHh12TYwEBAQE1uhWFCQSDIg X-IronPort-AV: E=Sophos;i="4.51,377,1267372800"; d="scan'208";a="12992082" Received: from unknown (HELO [10.0.10.3]) ([202.69.174.226]) by avmxsmtp5.comclark.com with ESMTP; 07 Apr 2010 15:10:13 +0800 Message-ID: <4BBC2FD0.3040204@comclark.com> Date: Wed, 07 Apr 2010 15:10:08 +0800 From: Aiza User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Dan Naumov References: <20100406213711.GA38637@orion.hsd1.pa.comcast.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org, freebsd-questions@freebsd.org Subject: Re: bizarre mount_nullfs issue with jails / ezjail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 07:20:20 -0000 Dan Naumov wrote: >>> An additional question: how come "sade" and "sysinstall" which are run >>> inside the jail can see (and I can only assume they can also operate >>> on and damage) the real underlying disks of the host? >>> >> Disks (as well as others you have in your host's /dev) aren't visible >> inside jails. > > Well, somehow they are on my system. > > I guess I should've also clarified that the jail was installed using > ezjail and not completely manually > >>From /usr/local/etc/ezjail/semipublic > > export jail_semipublic_devfs_enable="YES" > export jail_semipublic_devfs_ruleset="devfsrules_jail" > > - Sincerely, > Dan Naumov > > You are not in a jail but as the host. Use ezjail-admin console jailname and things will look alot different. What you are playing with are ezjails system control files. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 7 11:01:50 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F024106567B; Wed, 7 Apr 2010 11:01:50 +0000 (UTC) (envelope-from dan.naumov@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id 57FE58FC1E; Wed, 7 Apr 2010 11:01:48 +0000 (UTC) Received: by bwz8 with SMTP id 8so740875bwz.3 for ; Wed, 07 Apr 2010 04:01:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=x0ZS/T3MGm++xJCTlUzcjbuhSwf3yOYA42WAfbLiD/0=; b=JaBxaNTvLj3JHUCxOQYqUvslCDud3cpIDyaCDKiEHGcse3rWHoyhR+rwSYs93y5tsB hzpG1ecUJR5N0prZr7MqTnpUeOoL3ZNCYb+O3AItOhWWv3+mzsVjRMVUHBRS3pWoGm9I p3aOFlj1r+WH0c8WTIZAnolPlY2c+4klGFBv4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=hRRygY3rwS8mrFcazwhs43Lw4yoUMK3teQUvEkWmVklOoS8z8DN5fUNuWN1/GJOs7o ZyHzDNZBFSS1RtnTyGhZhktJYIT7sQBBkldkhlYVyP3hYp5vNlU3zOJis7Or+owOhMqo HhCRg2wOZ+UL5IMBMcU1FozZyM/ulrBdKRSKk= MIME-Version: 1.0 Received: by 10.204.116.203 with HTTP; Wed, 7 Apr 2010 04:01:47 -0700 (PDT) In-Reply-To: <4BBC2FD0.3040204@comclark.com> References: <20100406213711.GA38637@orion.hsd1.pa.comcast.net> <4BBC2FD0.3040204@comclark.com> Date: Wed, 7 Apr 2010 14:01:47 +0300 Received: by 10.204.7.201 with SMTP id e9mr821498bke.122.1270638107976; Wed, 07 Apr 2010 04:01:47 -0700 (PDT) Message-ID: From: Dan Naumov To: Aiza Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-jail@freebsd.org, freebsd-questions@freebsd.org Subject: Re: bizarre mount_nullfs issue with jails / ezjail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 11:01:50 -0000 On Wed, Apr 7, 2010 at 10:10 AM, Aiza wrote: > Dan Naumov wrote: >>>> >>>> An additional question: how come "sade" and "sysinstall" which are run >>>> inside the jail can see (and I can only assume they can also operate >>>> on and damage) the real underlying disks of the host? >>>> >>> Disks (as well as others you have in your host's /dev) aren't visible >>> inside jails. >> >> Well, somehow they are on my system. >> >> I guess I should've also clarified that the jail was installed using >> ezjail and not completely manually >> >>> From /usr/local/etc/ezjail/semipublic >> >> export jail_semipublic_devfs_enable="YES" >> export jail_semipublic_devfs_ruleset="devfsrules_jail" >> >> - Sincerely, >> Dan Naumov >> >> > You are not in a jail but as the host. Use ezjail-admin console jailname and > things will look alot different. What you are playing with are ezjails > system control files. No, I am not, I am running sade / sysinstall INSIDE THE JAIL (AFTER ezjail-admin console jailname or after connecting to the jail via ssh). - Sincerely, Dan Naumov From owner-freebsd-jail@FreeBSD.ORG Thu Apr 8 08:24:35 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47B8E106564A for ; Thu, 8 Apr 2010 08:24:34 +0000 (UTC) (envelope-from erich@fuujingroup.com) Received: from fluorine.fuujinnetworks.com (fluorine.fuujinnetworks.com [64.90.67.234]) by mx1.freebsd.org (Postfix) with ESMTP id 2346D8FC08 for ; Thu, 8 Apr 2010 08:24:33 +0000 (UTC) Received: from [10.168.1.8] (copper.fuujinnetworks.com [64.90.67.254]) by fluorine.fuujinnetworks.com (Postfix) with ESMTPA id 799FC439E38 for ; Thu, 8 Apr 2010 03:06:23 -0500 (CDT) Message-ID: <4BBD9C6A.9020404@fuujingroup.com> Date: Thu, 08 Apr 2010 03:05:46 -0600 From: "Erich Jenkins, Fuujin Group Ltd" User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: file permissions and user access X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2010 08:24:35 -0000 I've gone through the archives for the Jail list, and I'm not finding anything specific to the issue we're experiencing. My apologies if this is a known issue or if I've done something daft, but there appears to be a file permission issue with jails. We have a large deployment of jailed systems, and an issue was brought to my attention today that I hope very much is the result of a misconfiguration or other mistake. Background: Environment is FreeBSD 7.0-REL and 8.0-REL Platforms include i386 (x86 Xeon), amd64 (Opteron) and sparc64 (Netra X1's) Jail environment is a Complete jail, not an application jail Situation: A user managed to kill an apache process today, resulting in their virtual web server (in a jail) going down. The user does not have root privileges on this box, and is not a member of wheel. Upon inspection, I found that the user had deleted a config file that was owned by root (chmod 700). It appears they were not able to read the file, but they were able to delete it which I confirmed with the user. Test: To verify what appeared to be happening, I created a file in the users home directory (typed some garbage into a text file) owned by root (700) and in the wheel group. I then logged into the users account via ssh as that user. I attempted to su to root, which I could not (as expected). I tried to read the file and could not (as expected). Then I tried to delete the file. Bingo. File was gone. I also tried this via FTP using their account and the same thing happened. I could delete the file, but could not transfer it, nor open it. Any thoughts on this would be greatly appreciated. I've tried this in the lab and on some production boxes, and this appears to affect 7.0-REL and 8.0-REL (the only versions in the environment). This also does not appear to be specific to any particular architecture as I have tested on sparc64, amd64 and i386 boxes. -- Erich M. Jenkins Fuujin Group Limited "You should never, never doubt what no one is sure about." -- Gene Wilder From owner-freebsd-jail@FreeBSD.ORG Thu Apr 8 09:10:05 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BCA4106564A for ; Thu, 8 Apr 2010 09:10:05 +0000 (UTC) (envelope-from jille@quis.cx) Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14]) by mx1.freebsd.org (Postfix) with ESMTP id DC8248FC19 for ; Thu, 8 Apr 2010 09:10:04 +0000 (UTC) Received: from adidas.hexon-nijmegen.nl (gw.hexon-nijmegen.nl [82.93.241.107]) by mulgore.hexon-is.nl (8.14.3/8.14.3) with ESMTP id o388a2ww010720; Thu, 8 Apr 2010 10:36:02 +0200 Received: from [10.0.0.142] (HENK.hexon-nijmegen.nl [10.0.0.142]) by adidas.hexon-nijmegen.nl (8.14.3/8.14.3) with ESMTP id o388a112029748; Thu, 8 Apr 2010 10:36:01 +0200 Message-ID: <4BBD9569.9090901@quis.cx> Date: Thu, 08 Apr 2010 10:35:53 +0200 From: Jille Timmermans User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: "Erich Jenkins, Fuujin Group Ltd" References: <4BBD9C6A.9020404@fuujingroup.com> In-Reply-To: <4BBD9C6A.9020404@fuujingroup.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Hexon-MailScanner-Information: Please contact the ISP for more information X-Hexon-MailScanner-ID: o388a2ww010720 X-Hexon-MailScanner: Found to be clean X-Hexon-MailScanner-From: jille@quis.cx X-Hexon-MailScanner-Watermark: 1271320564.32737@UNWlf2xYgX00oIK9ZrDKUA Cc: freebsd-jail@freebsd.org Subject: Re: file permissions and user access X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2010 09:10:05 -0000 For deleting files you need write permission on the directory the file is in. The permissions of the file itself won't matter. -- Jille Op 8-4-2010 11:05, Erich Jenkins, Fuujin Group Ltd schreef: > I've gone through the archives for the Jail list, and I'm not finding > anything specific to the issue we're experiencing. My apologies if this > is a known issue or if I've done something daft, but there appears to be > a file permission issue with jails. > > We have a large deployment of jailed systems, and an issue was brought > to my attention today that I hope very much is the result of a > misconfiguration or other mistake. > > Background: > > Environment is FreeBSD 7.0-REL and 8.0-REL > Platforms include i386 (x86 Xeon), amd64 (Opteron) and sparc64 (Netra X1's) > Jail environment is a Complete jail, not an application jail > > Situation: > > A user managed to kill an apache process today, resulting in their > virtual web server (in a jail) going down. The user does not have root > privileges on this box, and is not a member of wheel. Upon inspection, I > found that the user had deleted a config file that was owned by root > (chmod 700). It appears they were not able to read the file, but they > were able to delete it which I confirmed with the user. > > Test: > > To verify what appeared to be happening, I created a file in the users > home directory (typed some garbage into a text file) owned by root (700) > and in the wheel group. I then logged into the users account via ssh as > that user. I attempted to su to root, which I could not (as expected). I > tried to read the file and could not (as expected). Then I tried to > delete the file. Bingo. File was gone. > > I also tried this via FTP using their account and the same thing > happened. I could delete the file, but could not transfer it, nor open it. > > Any thoughts on this would be greatly appreciated. I've tried this in > the lab and on some production boxes, and this appears to affect 7.0-REL > and 8.0-REL (the only versions in the environment). This also does not > appear to be specific to any particular architecture as I have tested on > sparc64, amd64 and i386 boxes. > From owner-freebsd-jail@FreeBSD.ORG Thu Apr 8 09:27:15 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 118AC106564A for ; Thu, 8 Apr 2010 09:27:15 +0000 (UTC) (envelope-from onur@ulakbim.gov.tr) Received: from mail.ulakbim.gov.tr (mail.ulakbim.gov.tr [193.140.83.6]) by mx1.freebsd.org (Postfix) with ESMTP id B64628FC1A for ; Thu, 8 Apr 2010 09:27:14 +0000 (UTC) Received: from mail.ulakbim.gov.tr (unknown [127.0.0.1]) by mail.ulakbim.gov.tr (Postfix) with ESMTP id 42D6912EF35; Thu, 8 Apr 2010 12:27:08 +0300 (EEST) X-Virus-Scanned: amavisd-new at ulakbim.gov.tr Received: from mail.ulakbim.gov.tr ([127.0.0.1]) by mail.ulakbim.gov.tr (mail.ulakbim.gov.tr [127.0.0.1]) (amavisd-new, port 10024) with LMTP id mt4ndh2Ww2fl; Thu, 8 Apr 2010 12:27:07 +0300 (EEST) Received: from [10.0.2.15] (digil.ulakbim.gov.tr [193.140.94.150]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.ulakbim.gov.tr (Postfix) with ESMTP id BA1AD12EF34; Thu, 8 Apr 2010 12:27:06 +0300 (EEST) Message-ID: <4BBDA158.9030307@ulakbim.gov.tr> Date: Thu, 08 Apr 2010 12:26:48 +0300 From: Onur Bektas User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "Erich Jenkins, Fuujin Group Ltd" References: <4BBD9C6A.9020404@fuujingroup.com> In-Reply-To: <4BBD9C6A.9020404@fuujingroup.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-jail@freebsd.org Subject: Re: file permissions and user access X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2010 09:27:15 -0000 Hi, If user has a full rwx access to its home directory (and it is usually the case) then it "can" remove the files within the directory even if the user cannot read the content of file. Solution to your problem may be change the user home directory ownership to root and then set a sticky bit to user home directory (i.e, chmod 1775 $HOME) .After that, user can only delete the file its the owner of file (like the case in /tmp) . A better solution is to put configuration files other directory owned by root. Regards, Onur. On 4/8/2010 12:05 PM, Erich Jenkins, Fuujin Group Ltd wrote: > I've gone through the archives for the Jail list, and I'm not finding > anything specific to the issue we're experiencing. My apologies if > this is a known issue or if I've done something daft, but there > appears to be a file permission issue with jails. > > We have a large deployment of jailed systems, and an issue was brought > to my attention today that I hope very much is the result of a > misconfiguration or other mistake. > > Background: > > Environment is FreeBSD 7.0-REL and 8.0-REL > Platforms include i386 (x86 Xeon), amd64 (Opteron) and sparc64 (Netra > X1's) > Jail environment is a Complete jail, not an application jail > > Situation: > > A user managed to kill an apache process today, resulting in their > virtual web server (in a jail) going down. The user does not have root > privileges on this box, and is not a member of wheel. Upon inspection, > I found that the user had deleted a config file that was owned by root > (chmod 700). It appears they were not able to read the file, but they > were able to delete it which I confirmed with the user. > > Test: > > To verify what appeared to be happening, I created a file in the users > home directory (typed some garbage into a text file) owned by root > (700) and in the wheel group. I then logged into the users account via > ssh as that user. I attempted to su to root, which I could not (as > expected). I tried to read the file and could not (as expected). Then > I tried to delete the file. Bingo. File was gone. > > I also tried this via FTP using their account and the same thing > happened. I could delete the file, but could not transfer it, nor open > it. > > Any thoughts on this would be greatly appreciated. I've tried this in > the lab and on some production boxes, and this appears to affect > 7.0-REL and 8.0-REL (the only versions in the environment). This also > does not appear to be specific to any particular architecture as I > have tested on sparc64, amd64 and i386 boxes. > -- ------ Onur BEKTAS Sistem Yöneticisi / System Administrator Teknik Destek Grubu TÜBITAK ULAKBIM tel: +903122989367 fax: +903122989393 ----------------------------------