From owner-freebsd-current@FreeBSD.ORG Fri Aug 15 07:17:45 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A56C37B401 for ; Fri, 15 Aug 2003 07:17:45 -0700 (PDT) Received: from mail.liwing.de (mail.liwing.de [213.70.188.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7ED7143FA3 for ; Fri, 15 Aug 2003 07:17:41 -0700 (PDT) (envelope-from rehsack@liwing.de) Received: (qmail 15453 invoked from network); 15 Aug 2003 14:17:11 -0000 Received: from stingray.liwing.de (HELO liwing.de) ([213.70.188.164]) (envelope-sender ) by mail.liwing.de (qmail-ldap-1.03) with SMTP for ; 15 Aug 2003 14:17:11 -0000 Message-ID: <3F3CEB66.20800@liwing.de> Date: Fri, 15 Aug 2003 16:17:10 +0200 From: Jens Rehsack Organization: LiWing IT-Services User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: de-de, de, en-us, en MIME-Version: 1.0 To: "Scot W. Hetzel" References: <3F26AA16.5030007@liwing.de> <20030729172122.GA5005@kokeb.ambesa.net><3F26BC7B.8070507@liwing.de> <20030801232918.GA37095@kokeb.ambesa.net><3F2D1800.5020006@liwing.de> <20030803230410.GA16947@kokeb.ambesa.net> <008901c36278$3d4a8f80$13fd2fd8@Admin02> In-Reply-To: <008901c36278$3d4a8f80$13fd2fd8@Admin02> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Clement Laforet cc: FreeBSD-Security List cc: Robert Watson cc: FreeBSD-Current List Subject: Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2003 14:17:45 -0000 On 14.08.2003 15:36, Scot W. Hetzel wrote: > I just noticed a problem with periodic scripts inside a jail. I'm getting: > > Local system status: > tee: /dev/stderr: Operation not supported > > Mail in local queue: > tee: /dev/stderr: Operation not supported > > Mail in submit queue: > tee: /dev/stderr: Operation not supported > > in the periodic daily, weekly, monthly and security reports. But if I mount > the fdescfs on the jail, then these errors go away. > > So we need to add the following to the new jail script > > jail_start() > { > : > eval jail_devfs=\"\$jail_${_jail}_devfs\" > [ -z ${jail_devfs} ] && jail_devfs="NO": > > eval jail_fdescfs=\"\$jail_${_jail}_fdescfs\" > [ -z ${jail_fdescfs} ] && jail_fdescfs="NO" > : > if checkyesno jail_devfs ; then > mount -t devfs dev ${jail_devdir} > if checkyesno jail_fdescfs ; then > mount -t fdescfs fdesc ${jail_devdir}/fd > fi > : > fi > : > } > > jail_stop() > { > : > eval jail_devfs=\"\$jail_${_jail}_devfs\" > [ -z ${jail_devfs} ] && jail_devfs="NO": > > eval jail_fdescfs=\"\$jail_${_jail}_fdescfs\" > [ -z ${jail_fdescfs} ] && jail_fdescfs="NO" > : > if checkyesno jail_devfs ; then > if [ -d ${jail_devdir} ] ; then > if checkyesno jail_fdescfs; then > umount -f ${jail_devdir}/fd >/dev/null 2>&1 > fi > umount -f ${jail_devdir} >/dev/null 2>&1 > fi > fi > : > } > > The only decsion we need to make is wheter to always mount the fdescfs when > devfs is mounted on the jail, or have a variable to enable mounting of the > fdescfs (jail_*_fdescfs). > > Scot I don't run periodics in jails, because they are not allowed to mail out :-) But I wouldn't really care having fdescfs mounted every time as security problem, so I would decide to mount it ever (or defaultly). If someone cares, addition of jail_example_mount_fdescfs is recommented. I add a CC to security@, because of there may be one or other who has an important comment. Best, Jens