Date: Mon, 22 Sep 2008 15:51:50 -0400 From: Greg Larkin <glarkin@FreeBSD.org> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup Message-ID: <48D7F756.9040704@FreeBSD.org> In-Reply-To: <48D7EEA3.4040504@quip.cz> References: <Pine.BSF.4.64.0809220809440.16549@tdream.lly.earlham.edu> <20080922155111.T65801@maildrop.int.zabbadoz.net> <48D7EEA3.4040504@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miroslav Lachman wrote: > Bjoern A. Zeeb wrote: >> On Mon, 22 Sep 2008, Randy Schultz wrote: >> >> Hi, >> >>> I'm mounting some iSCSI storage in a jail. It's mounting in the jail >>> via >>> fstab.<jailname>. When the jail is up and I'm logged into the jail I >>> can cd >>> to the mount point, r/w etc., everything seems to work. What's weird >>> tho' is, >>> while a df on the parent shows the partion mounted as expected, a df >>> inside >>> the jail shows the local disk but not the iSCSI mount. >>> ... >>> So, my first question is what am I missing, the second is does >>> mounting things >>> this way into a jail pose any sort of risk for escaping the jail? >> >> >> Does anything change if you do a >> sysctl security.jail.enforce_statfs=1 >> >> If that's what you want you can add the following lines to >> /etc/sysctl.conf in the base system so it is automatically set upon >> boot: >> >> # jails >> security.jail.enforce_statfs=1 > > Have this any impact on security? > > # sysctl -d security.jail.enforce_statfs > security.jail.enforce_statfs: Processes in jail cannot see all mounted > file systems > > For what this sysctl is implemented? > > Thanks > > Miroslav Lachman Hi Miroslav, - From the jail(8) man page: security.jail.enforce_statfs This MIB entry determines which information processes in a jail are able to get about mount-points. It affects the behaviour of the following syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2) (as well as similar compatibility syscalls). When set to 0, all mount-points are available without any restrictions. When set to 1, only mount-points below the jail's chroot directory are visible. In addition to that, the path to the jail's chroot direc- tory is removed from the front of their pathnames. When set to 2 (default), above syscalls can operate only on a mount-point where the jail's chroot directory is located. Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI1/dW0sRouByUApARAn8jAKC7BV/WcYK9jD0u8rT78dKpUxxKTgCeKu5v 6Z1BxjUUhlNPeszk+JCNDOg= =ja/n -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D7F756.9040704>