From owner-freebsd-questions@freebsd.org Tue Aug 25 21:12:28 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ABB833BC600 for ; Tue, 25 Aug 2020 21:12:28 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 4BbhXC4dKsz487K for ; Tue, 25 Aug 2020 21:12:27 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from [10.150.31.27] (unknown [10.150.31.27]) (Authenticated sender: galtsev) by kicp.uchicago.edu (Postfix) with ESMTPSA id 187D14E66A for ; Tue, 25 Aug 2020 16:12:27 -0500 (CDT) Subject: Re: Jail question: packages with relative symlinks To: freebsd-questions@freebsd.org References: <24d244da-43e4-9a5e-e940-3f183bc5a50e@holgerdanske.com> From: Valeri Galtsev Message-ID: <9127e9ca-c6be-d007-bd82-fdf7c5508242@kicp.uchicago.edu> Date: Tue, 25 Aug 2020 16:12:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <24d244da-43e4-9a5e-e940-3f183bc5a50e@holgerdanske.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4BbhXC4dKsz487K X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=uchicago.edu (policy=none); spf=none (mx1.freebsd.org: domain of galtsev@kicp.uchicago.edu has no SPF policy when checking 128.135.20.70) smtp.mailfrom=galtsev@kicp.uchicago.edu X-Spamd-Result: default: False [0.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.35)[0.353]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; NEURAL_SPAM_MEDIUM(0.05)[0.047]; RCPT_COUNT_ONE(0.00)[1]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2020 21:12:28 -0000 On 8/25/20 3:50 PM, David Christensen wrote: > On 2020-08-25 09:51, Valeri Galtsev wrote: >> Dear Experts, >> >> I've got question about jails, namely, what do you do if some package >> you install in jail brings relative symlink(s)? >> >> I install jails "by the book" and if relative symlinks are in >> /usr/local, there is no problem with those, as in jail an equivalent >> of /usr/local is >> >> /s/usr-local >> >> and the depth is the same as on real system. However, /etc in jail is >> >> /s/etc >> >> and if package brings relative symlink to /etc, in jail it will point >> nowhere. I just resolved this failure for package ca_root_nss in jail. >> This package places in >> >> /etc/ssl >> >> relative symlink: >> >> cert.pem --> ../../usr/local/share/certs/ca-root-nss.crt >> >> In jail, however it is situated in >> >> /s/etc/ssl >> >> so the above relative symlink points nowhere. I did a "trivial" thing, >> just replaced relative symlink with absolute one: >> >> cert.pem --> /usr/local/share/certs/ca-root-nss.crt >> >> ,and as this symlink is owned by the package ca_root_nss, I locked >> that package, to prevent it from "automagically" replacing symlink >> with relative if updated package is installed. >> >> This is kind of crude solution, standing next to the "hack", so I do >> not like what I did. >> >> >> I wonder, how jail experts deal with relative symlinks when some >> package brings it into place where filesystem depth in jail is >> different from real system. >> >> >> Thanks. >> Valeri > > I am no jail expert, but AIUI jails include chroot(8) functionality. So, > all paths used within a jail will be resolved within the jailed tree. > > > If you log in to the jail as root and install your software from there, > it should just work. > Having that structure with symlinks I have mentioned has a special purpose. That purpose is: the base system is mounted read only inside the jail, and only things that have to be read-write are read-write. This basically precludes using what you suggest without diminishing robustness of jails. Thanks for your input though! Valeri > > David > > > p.s. Lucas wrote some good books that cover jails: > > [1] https://mwl.io/nonfiction/os#af3e > > [2] https://mwl.io/nonfiction/os#fmjail > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++