From owner-freebsd-questions@freebsd.org Wed Mar 15 08:19:43 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF24ED0B81B for ; Wed, 15 Mar 2017 08:19:43 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from bede.home.qeng-ho.org (bede.qeng-ho.org [217.155.128.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "fileserver.home.qeng-ho.org", Issuer "fileserver.home.qeng-ho.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7AD67147C for ; Wed, 15 Mar 2017 08:19:42 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2]) by bede.home.qeng-ho.org (8.15.2/8.15.2) with ESMTP id v2F8JW52079437; Wed, 15 Mar 2017 08:19:33 GMT (envelope-from freebsd@qeng-ho.org) Subject: Re: FreeBSD-11 - /etc/fstab To: byrnejb@harte-lyne.ca References: <752326cf454b5045b8759e7a4a163a23.squirrel@webmail.harte-lyne.ca> <8e5c5be426784129a426acf656748826@dweimer.net> Cc: freebsd-questions@freebsd.org From: Arthur Chance Message-ID: Date: Wed, 15 Mar 2017 08:19:32 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Mar 2017 08:19:44 -0000 On 14/03/2017 20:59, James B. Byrne via freebsd-questions wrote: > > On Tue, March 14, 2017 16:01, Dean E. Weimer wrote: > >>> >> >> Look at man jail, search for mount.fstab, that's probably what you >> need. >> I use it for mounting nullfs file systems to my jails, haven't tried >> with these special file systems though. >> > > I read the man page which is why I first looked in the ezjail > configuration file for this particular jail to see if the ability to > mount these special file-systems was enabled. It appeared to be. I > then updated the /etc/fstab.jailname file to have the desired > entries: > > # cat /etc/fstab.hllidempiere > /usr/jails/basejail /usr/jails/hllidempiere/basejail nullfs ro 0 0 > fdesc /dev/fd fdescfs rw 0 0 > proc /proc procfs rw 0 0 > > However, when I start the jail, log on to it, and perform a mount > command this is all I see: > > # mount > zroot/ROOT/default on / (zfs, local, noatime, nfsv4acls) > > Thus my question. If your jail.conf has "enforce_statfs = 2" in it the jail can't report any mounts other than its root. You should be able to see all mounts from the host. The best test when in the jail is whether you can see /proc or not. If so, the jail system is doing its job of mounting the extra filesystems *before* the jail starts, which means you can safely prevent the jail from doing mounts itself, improving security. The only reason for having /etc/fstab in the jail is to stop the rc scripts complaining about it being missing, and an empty file is sufficient for that. Note that looking for /dev/fd isn't quite the same. devd provides a vestigial /dev/fd itself, containing just 0, 1 & 2 (i.e. stdin, stdout & stderr). If fdesc is mounted you might see other file descriptors depending on what your shell has open. -- By June 1949, people had begun to realize that it was not so easy to get a program right as had at one time appeared. It was on one of my journeys between the EDSAC room and the punching equipment that the realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs. -- Maurice Wilkes