From owner-freebsd-questions@FreeBSD.ORG Sat Sep 23 12:38:59 2006 Return-Path: X-Original-To: freebsd-questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC3E716A407 for ; Sat, 23 Sep 2006 12:38:59 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 774D643D4C for ; Sat, 23 Sep 2006 12:38:59 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp2-g19.free.fr (Postfix) with ESMTP id 5A53575C08 for ; Sat, 23 Sep 2006 14:38:58 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 13CA49B4C1; Sat, 23 Sep 2006 12:39:03 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id DF070408C; Sat, 23 Sep 2006 14:39:02 +0200 (CEST) Date: Sat, 23 Sep 2006 14:39:02 +0200 From: Jeremie Le Hen To: freebsd-questions@FreeBSD.org Message-ID: <20060923123902.GV15761@obiwan.tataz.chchile.org> References: <20060921193110.GL15761@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060921193110.GL15761@obiwan.tataz.chchile.org> User-Agent: Mutt/1.5.12-2006-07-14 Cc: jeremie@le-hen.org Subject: Re: [fbsd] chrooted named in a jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Sep 2006 12:38:59 -0000 Hi list, On Thu, Sep 21, 2006 at 09:31:10PM +0200, Jeremie Le Hen wrote: > Hi list, > > please Cc: me in your replies, I am not subscribed to this list. > > I have a jail in which named(8) runs. In order to make a possible bug > exploitation still more difficult, I would like to use the named_chrootdir > variable for rc.conf(5). > > Unfortunately, rc.d/named tries to mount devfs in the named_chrootdir, > which is obviously not possible inside a jail. I could hack the jail > startup bit in order to mount devfs in $jaildir/$named_chrootdir/dev, > but I find this a bit overkill and I am looking for a neater way to > achieve this. I thought of using $jail_fstab and $jail_mount_enable > in order to mount_nullfs(8) $jaildir/dev onto $jaildir/$named_chrootdir/dev > but I am not sure this is allowed by the kernel (I'm scared to panic my > production box). > > Any clue, idea ? For your information, I achieved to run a chrooted named(8) inside a jail with two small patches I submitted in the following PRs: http://www.freebsd.org/cgi/query-pr.cgi?pr=103486 http://www.freebsd.org/cgi/query-pr.cgi?pr=103489 The second PR prevents rc.d/named from doing devfs stuff inside a jail, using the security.jail.jailed sysctl. The first PR makes rc.d/jail mount jail's devfs before jail's fstab. This way, I can use /etc/fstab. to null-mount $jail_rootdir/dev onto $jail_rootdir/$named_chrootdir/dev. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >