Date: Wed, 18 May 2005 00:22:21 +0200 From: Juergen Unger <j.unger@addict.de> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: freebsd-hackers@freebsd.org Subject: Re: jails and output of df/mount [PATCH] Message-ID: <20050517222221.GA85134@crow.addict.de> In-Reply-To: <20050517214324.GA1021@obiwan.tataz.chchile.org> References: <20050516162456.GC69167@crow.addict.de> <20050517214324.GA1021@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jeremie ! On Tue, May 17, 2005 at 11:43:24PM +0200, Jeremie Le Hen wrote: [...] > This works fine on a recent RELENG_5 UP kernel. Given that this > exposes some host configuration inside jail, it might be worth > adding a sysctl to disable this. However, I'm not really sure > this kind of information could really be an attack vector or ramp. I don't share your opinion that this exposes information not allready known to the processes withing the jail. For example: with this patch I get on an sample jail here the following output: > jail# df -h > Filesystem Size Used Avail Capacity Mounted on > /dev/md3c 4.8G 148M 4.3G 3% /data1/jail/003 > 195.49.136.4:/po 989M 275M 635M 30% /data1/jail/003/usr/ports > 195.49.136.4:/di 989M 189M 721M 21% /data1/jail/003/distfiles > 195.49.136.4:/pa 989M 83M 828M 9% /data1/jail/003/packages > /dev/md2001c 19G 4.0K 18G 0% /data1/jail/003/var/spool/news > devfs 1.0K 1.0K 0B 100% /data1/jail/003/dev > fdescfs 1.0K 1.0K 0B 100% /data1/jail/003/dev/fd > procfs 4.0K 4.0K 0B 100% /data1/jail/003/proc > jail# the processes within the jail can get the same information without the patch if they call df for each mounted fs seperately: > jail# df -h / > Filesystem Size Used Avail Capacity Mounted on > /dev/md3c 4.8G 148M 4.3G 3% /data1/jail/003 > jail# df -h /usr/ports > Filesystem Size Used Avail Capacity Mounted on > 195.49.136.4:/po 989M 275M 635M 30% /data1/jail/003/usr/ports > jail# df -h /distfiles > Filesystem Size Used Avail Capacity Mounted on > 195.49.136.4:/di 989M 189M 721M 21% /data1/jail/003/distfiles . [...and.so.on...] . that in the output the '/data1/jail/003/' path component ist shown is another point to fix (I will make another patch for it), but this behaviour is not changed from before. Better it would be only output the path at it is known to the jailed processes. > There seems to be one small bug in your patch : once applied, we > don't see informations about / any longer inside jails. hmm, I think I know what you mean. I am very sure this happens only if the jail do not have an own filesystem (so the jails root is not the root of a filesystem). Should be easy to fix. I will make an improved patch until tomorrow. bye, Juergen -- ENOSIG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050517222221.GA85134>