From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 19:14:14 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C64461065673 for ; Mon, 22 Sep 2008 19:14:14 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 802928FC0C for ; Mon, 22 Sep 2008 19:14:14 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4F99D19E02A; Mon, 22 Sep 2008 21:14:13 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 27B8619E027; Mon, 22 Sep 2008 21:14:11 +0200 (CEST) Message-ID: <48D7EEA3.4040504@quip.cz> Date: Mon, 22 Sep 2008 21:14:43 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <20080922155111.T65801@maildrop.int.zabbadoz.net> In-Reply-To: <20080922155111.T65801@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 19:14:14 -0000 Bjoern A. Zeeb wrote: > On Mon, 22 Sep 2008, Randy Schultz wrote: > > Hi, > >> I'm mounting some iSCSI storage in a jail. It's mounting in the jail via >> fstab.. When the jail is up and I'm logged into the jail I >> can cd >> to the mount point, r/w etc., everything seems to work. What's weird >> tho' is, >> while a df on the parent shows the partion mounted as expected, a df >> inside >> the jail shows the local disk but not the iSCSI mount. >> ... >> So, my first question is what am I missing, the second is does >> mounting things >> this way into a jail pose any sort of risk for escaping the jail? > > > Does anything change if you do a > sysctl security.jail.enforce_statfs=1 > > If that's what you want you can add the following lines to > /etc/sysctl.conf in the base system so it is automatically set upon > boot: > > # jails > security.jail.enforce_statfs=1 Have this any impact on security? # sysctl -d security.jail.enforce_statfs security.jail.enforce_statfs: Processes in jail cannot see all mounted file systems For what this sysctl is implemented? Thanks Miroslav Lachman