From owner-freebsd-jail@FreeBSD.ORG Wed Sep 4 09:40:42 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 70D8C627 for ; Wed, 4 Sep 2013 09:40:42 +0000 (UTC) (envelope-from olevole@olevole.ru) Received: from mail-lb0-f171.google.com (mail-lb0-f171.google.com [209.85.217.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id EB90B235E for ; Wed, 4 Sep 2013 09:40:41 +0000 (UTC) Received: by mail-lb0-f171.google.com with SMTP id u14so160262lbd.2 for ; Wed, 04 Sep 2013 02:40:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version:content-transfer-encoding:content-type; bh=pMbtpV1H7bdh8dJaWA/TKFz9S4DCWFcMe2T2vYcBQ6Y=; b=kW5aHfw7weofz64hDVQolsh47Jg77rU/h5A5AZJfPL+dk+0uFUvbH5CZJwUTl6wPNu AhVbrMz87Nrdy5iOL34DbcHzTgc9NXiI3DL8oqrtiOaFWqMEZzCm5bxciMR6wdWt9bih 6os5SllMWzn4AIXnwS75tnaPGnaePDpGz4b8qQZdliUjsaPt3EpBjyxXeU1Fe2LUZrVP CdLELyAGezKT1tc54FE+8jxcJk8y2EeLcHQpIlSVG1bIK8EXhGl8Zc36vh/ajdOBl+8O nmOA24IziTXgaE8Q3HCI9jP/+iS3iFExv+GjGfsnWhmbD6WwkqAQtu1CDEfCv+MmDhPb QlJQ== X-Gm-Message-State: ALoCoQkDDOuvxtjZtBwhsFdhRW9IXpemotQF2b9QLTTHXZ516ARCCrmaM55lXAovzbXrs06bvfkJ X-Received: by 10.152.30.74 with SMTP id q10mr1838116lah.27.1378287634318; Wed, 04 Sep 2013 02:40:34 -0700 (PDT) Received: from gizmo.nevosoft.local (ip-195-182-142-52.clients.cmk.ru. [195.182.142.52]) by mx.google.com with ESMTPSA id f17sm10163232lbo.12.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 04 Sep 2013 02:40:33 -0700 (PDT) From: olevole To: freebsd-doc@freebsd.org, freebsd-jail@freebsd.org Subject: handbook chapter for jail best practices needs for security remark Date: Wed, 04 Sep 2013 13:40:31 +0400 Message-ID: <2169287.FiyytKgDHO@gizmo.nevosoft.local> User-Agent: KMail/4.10.5 (FreeBSD/10.0-CURRENT; KDE/4.10.5; amd64; ; ) MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Sep 2013 09:40:42 -0000 Mounting directory via nullfs when RW part mounted above RO from one filesystem is insecure for RO location, because it allows you to edit a file by hardlink on RO place, due to the fact that the files have one inode. For example (by root user): % mkdir /usr/chroot % bsdinstall jail /usr/chroot % mount_nullfs -oro /bin /usr/chroot/bin % mkdir /rw % mount_nullfs /rw /usr/chroot/root % chroot /usr/chroot % touch /bin/date touch: /bin/date: Read-only file system % cd ~ % ln /bin/date % ls -i /bin/date /root/date 58182 /bin/date 58182 /root/date (open /root/date in vi editor and change something) % vi date dd :wq! (logout from chroot) % exit (now /bin/date is corrupted) % /bin/date /bin/date: Exec format error. Binary file not executable. Such scheme when the RW data is overlaid above RO data is popular for jail hosting and described in Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html Perhaps it is worth mentioning in the article about the need to separate base to cross-device storage or place it on a read-only system.