From owner-freebsd-current@FreeBSD.ORG Mon Sep 19 17:20:03 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A56BC16A41F for ; Mon, 19 Sep 2005 17:20:03 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id D296F43D49 for ; Mon, 19 Sep 2005 17:20:02 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: by xproxy.gmail.com with SMTP id i31so466718wxd for ; Mon, 19 Sep 2005 10:20:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bAED/EzIbpcZfSszIeOImN5HEUl/M9e4o8EdSWYBSLIl3tz8VzfBNlTjEpnGY3o1xXvCixW0fJnLyWz5iyLaSgiBVBcttT3XRASjI137Rx7yVCM5p/JFqNyjEwlDfOJw6nFUsg9T3httMza4CmfqYzYTCM6fHun69CnT198T3Pk= Received: by 10.70.96.8 with SMTP id t8mr1454124wxb; Mon, 19 Sep 2005 10:20:02 -0700 (PDT) Received: by 10.70.53.4 with HTTP; Mon, 19 Sep 2005 10:20:02 -0700 (PDT) Message-ID: <790a9fff05091910201817c845@mail.gmail.com> Date: Mon, 19 Sep 2005 12:20:02 -0500 From: Scot Hetzel To: Martin Cracauer In-Reply-To: <20050919130810.A41848@cons.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050919130810.A41848@cons.org> Cc: freebsd-current@freebsd.org Subject: Re: device entries outside /proc with procfs (for chroot) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: swhetzel@gmail.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 17:20:03 -0000 On 9/19/05, Martin Cracauer wrote: > I noticed the creation of /dev/ entries outside of /dev doesn't work > anymore. This is needed for chroot environments, which rely on > /dev/null on a regular basis. >=20 > I just created the appended message to freebsd-emulation but what I > suggest doesn't work either. It seems that even with the right major > and minor device number we won't get a working /dev/null outside of > /dev. >=20 > Any suggestions? I think it is required to have some capability for > device entries in chrooted environments. >=20 > The only working thing I came up with is this: >=20 > mkdir /compat/linux/dev > mkdir /compat/linux/dev-hidden > mount -t devfs devfs /compat/linux/dev-hidden > cd /compat/linux/dev > rm -f null zero > ln -s ../dev-hidden/null . > ln -s ../dev-hidden/zero . >=20 > Any ill effects to be expected from this hack? >=20 >=20 Yes, when you chrooted to /compat/linux, you still have access to the devices listed in /dev-hidden, which could cause a security issue.=20 You best bet is to mount devfs on /compat/linux/dev, and then use devfs_rules to limit the devices available in the chroot area. > -- cut here -- >=20 > /usr/ports/emulators/linux_base/pkg-message > recommendes: > > You may wish to create and populate /compat/linux/dev/ if you plan to > > chroot > > into your Linux installation. For example: > > > > mkdir /compat/linux/dev > > mknod /compat/linux/dev/null c 2 2 > > chmod 666 /compat/linux/dev/null >=20 >=20 The solution is to change the pkg-message to add an example for 5.X+ that shows howd to mount devfs on /compat/linux/dev, and uses devfs_rules to hide all devices except for the null & zero device. --=20 DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised.