Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Sep 2005 12:20:02 -0500
From:      Scot Hetzel <swhetzel@gmail.com>
To:        Martin Cracauer <cracauer@cons.org>
Cc:        freebsd-current@freebsd.org
Subject:   Re: device entries outside /proc with procfs (for chroot)
Message-ID:  <790a9fff05091910201817c845@mail.gmail.com>
In-Reply-To: <20050919130810.A41848@cons.org>
References:  <20050919130810.A41848@cons.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 9/19/05, Martin Cracauer <cracauer@cons.org> wrote:
> I noticed the creation of /dev/ entries outside of /dev doesn't work
> anymore.  This is needed for chroot environments, which rely on
> /dev/null on a regular basis.
>=20
> I just created the appended message to freebsd-emulation but what I
> suggest doesn't work either.  It seems that even with the right major
> and minor device number we won't get a working /dev/null outside of
> /dev.
>=20
> Any suggestions? I think it is required to have some capability for
> device entries in chrooted environments.
>=20
> The only working thing I came up with is this:
>=20
> mkdir /compat/linux/dev
> mkdir /compat/linux/dev-hidden
> mount -t devfs devfs /compat/linux/dev-hidden
> cd /compat/linux/dev
> rm -f null zero
> ln -s ../dev-hidden/null .
> ln -s ../dev-hidden/zero .
>=20
> Any ill effects to be expected from this hack?
>=20
>=20
Yes, when you chrooted to /compat/linux, you still have access to the
devices listed in /dev-hidden, which could cause a security issue.=20
You best bet is to mount devfs on /compat/linux/dev, and then use
devfs_rules to limit the devices available in the chroot area.

> -- cut here --
>=20
> /usr/ports/emulators/linux_base/pkg-message
>  recommendes:
> > You may wish to create and populate /compat/linux/dev/ if you plan to
> > chroot
> > into your Linux installation.  For example:
> >
> >         mkdir /compat/linux/dev
> >         mknod /compat/linux/dev/null c 2 2
> >         chmod 666 /compat/linux/dev/null
>=20
>=20
The solution is to change the pkg-message to add an example for 5.X+
that shows howd to mount devfs on /compat/linux/dev, and uses
devfs_rules to hide all devices except for the null & zero device.

--=20
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?790a9fff05091910201817c845>