From owner-freebsd-jail@FreeBSD.ORG Mon Sep 22 20:10:46 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5256106564A for ; Mon, 22 Sep 2008 20:10:46 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id 8FB8B8FC0A for ; Mon, 22 Sep 2008 20:10:46 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from 68-189-244-97.dhcp.oxfr.ma.charter.com ([68.189.244.97] helo=Gregory-Larkins-Computer.local) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KhrRh-000Jia-Jk; Mon, 22 Sep 2008 15:51:46 -0400 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by Gregory-Larkins-Computer.local (Postfix) with ESMTP id D30352521CDF; Mon, 22 Sep 2008 15:51:45 -0400 (EDT) Message-ID: <48D7F756.9040704@FreeBSD.org> Date: Mon, 22 Sep 2008 15:51:50 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> References: <20080922155111.T65801@maildrop.int.zabbadoz.net> <48D7EEA3.4040504@quip.cz> In-Reply-To: <48D7EEA3.4040504@quip.cz> X-Enigmail-Version: 0.95.7 OpenPGP: id=1C940290 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.3 (-) Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 20:10:46 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miroslav Lachman wrote: > Bjoern A. Zeeb wrote: >> On Mon, 22 Sep 2008, Randy Schultz wrote: >> >> Hi, >> >>> I'm mounting some iSCSI storage in a jail. It's mounting in the jail >>> via >>> fstab.. When the jail is up and I'm logged into the jail I >>> can cd >>> to the mount point, r/w etc., everything seems to work. What's weird >>> tho' is, >>> while a df on the parent shows the partion mounted as expected, a df >>> inside >>> the jail shows the local disk but not the iSCSI mount. >>> ... >>> So, my first question is what am I missing, the second is does >>> mounting things >>> this way into a jail pose any sort of risk for escaping the jail? >> >> >> Does anything change if you do a >> sysctl security.jail.enforce_statfs=1 >> >> If that's what you want you can add the following lines to >> /etc/sysctl.conf in the base system so it is automatically set upon >> boot: >> >> # jails >> security.jail.enforce_statfs=1 > > Have this any impact on security? > > # sysctl -d security.jail.enforce_statfs > security.jail.enforce_statfs: Processes in jail cannot see all mounted > file systems > > For what this sysctl is implemented? > > Thanks > > Miroslav Lachman Hi Miroslav, - From the jail(8) man page: security.jail.enforce_statfs This MIB entry determines which information processes in a jail are able to get about mount-points. It affects the behaviour of the following syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2) (as well as similar compatibility syscalls). When set to 0, all mount-points are available without any restrictions. When set to 1, only mount-points below the jail's chroot directory are visible. In addition to that, the path to the jail's chroot direc- tory is removed from the front of their pathnames. When set to 2 (default), above syscalls can operate only on a mount-point where the jail's chroot directory is located. Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI1/dW0sRouByUApARAn8jAKC7BV/WcYK9jD0u8rT78dKpUxxKTgCeKu5v 6Z1BxjUUhlNPeszk+JCNDOg= =ja/n -----END PGP SIGNATURE-----