From owner-freebsd-hackers@FreeBSD.ORG Thu Apr 21 11:39:14 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CEDF16A4CE for ; Thu, 21 Apr 2005 11:39:14 +0000 (GMT) Received: from mxsf10.cluster1.charter.net (mxsf10.cluster1.charter.net [209.225.28.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id B55CE43D55 for ; Thu, 21 Apr 2005 11:39:13 +0000 (GMT) (envelope-from c0ldbyte@myrealbox.com) Received: from mxip12.cluster1.charter.net (mxip12a.cluster1.charter.net [209.225.28.142])j3LBdBiO016619 for ; Thu, 21 Apr 2005 07:39:11 -0400 Received: from 24.247.253.134.gha.mi.chartermi.net (HELO eleanor.us1.wmi.uvac.net) (24.247.253.134) by mxip12.cluster1.charter.net with ESMTP; 21 Apr 2005 07:39:12 -0400 X-Ironport-AV: i="3.92,120,1112587200"; d="scan'208"; a="1084416339:sNHT14208512" Date: Thu, 21 Apr 2005 07:39:08 -0400 (EDT) From: c0ldbyte To: Jeremie Le Hen In-Reply-To: <20050420165559.GI91329@obiwan.tataz.chchile.org> Message-ID: <20050421073009.G51738@eleanor.us1.wmi.uvac.net> References: <20050420135013.GE91329@obiwan.tataz.chchile.org> <20050420151104.GA11753@grummit.biaix.org> <20050420165559.GI91329@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-hackers@freebsd.org Subject: Re: Configuration differences for jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2005 11:39:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 20 Apr 2005, Jeremie Le Hen wrote: >> I'm trying to untangle myself on this issue. I have different >> filesystems for /, /usr, and /usr/local, mounted in unusual places: >> >> 504,p0,1$ ls -l /usr{,/X11R6,/local} >> lrwxr-xr-x 1 root wheel 18 7 nov 2003 /usr -> fs/base/mount/usr/ >> lrwxr-xr-x 1 root wheel 25 8 nov 2003 /usr/X11R6 -> >> ../../../apps/mount/X11R6 >> lrwxr-xr-x 1 root wheel 25 18 abr 20:40 /usr/local -> >> ../../../apps/mount/local >> >> I know I want to share /usr, but not /usr/local, and only parts of /. So >> I mount_unionfs /fs/base inside the jail: >> >> :/fs/base/mount on /fs/jaildata/mount/fs/base/mount (unionfs, >> local, read-only, noclusterw) >> > mount_nullfs(8) will mount one directory and all its content onto another > one, but there is no way to exclude one of the subdirectory. You > will instead have to mount each subdirectory you need, not more. One > other way do achieve this is to make a second null mount over the > directory you don't wan't to share (/usr/local) but I'm not aware of > the consequences of such setup in term of performance and stability. > > >> But this way I don't get the "automagically upgrade virtual hosts" >> behaviour I want, since I'm missing /{,s}bin, /lib and /libexec and I >> definitely don't want to share /etc. > > You won't have a one to one mapping between jail and null mounts. There > are generally multiple null mounts for a unique jail. > > Considering your jail root is /jail/test, and you enabled the > jail_$jail_mount (jail_test_mount here) rc.conf(5) variable, here is > the content of /etc/fstab.test : > %%% > /bin /jail/test/bin nullfs ro 0 0 > /sbin /jail/test/sbin nullfs ro 0 0 > /lib /jail/test/lib nullfs ro 0 0 > /libexec /jail/test/libexec nullfs ro 0 0 > /usr/bin /jail/test/usr/bin nullfs ro 0 0 > /usr/sbin /jail/test/usr/sbin nullfs ro 0 0 > /usr/lib /jail/test/usr/lib nullfs ro 0 0 > /usr/libexec /jail/test/usr/libexec nullfs ro 0 0 > /usr/libdata /jail/test/usr/libdata nullfs ro 0 0 > /usr/share /jail/test/usr/share nullfs ro 0 0 > /usr/compat /jail/test/usr/compat nullfs ro 0 0 > %%% > >> I don't think it's easy to take /etc/ outside the root fs, but I don't >> see how to share /bin or /lib without leaking info. >> >> How do you handle this? What are those distribution targets and how can >> I use them? > > As I said above, null mount each directory. > > Regards, Now I havent caught this whole thread but to my understanding right now you are talking about mounting nullfs's from the root filesystem "/" onto the jail correct ?. Now if that last question is correct and thats the proccess you are using to create a jail then depending on the situation wouldnt that inturn defeat some of the main purposes of the jail, like the following. If you mounted your "/bin" on "/mnt/jail/bin" then if a person that was looking to break in and effect the system that is currently locked in the "jail" all he would have to do is just write something to the "jail/bin" which is actualy your root "/bin" and then the next time a binary is used from your root directories it could still infect the rest of the system ultimately defeating the purpose of what you just set up. To my understanding and use a jail is somewhat totaly independent of the OS that it resides in and wont be if you are using nullfs to mount root binary directories on it. With all due respect "This is a bad idea" given allmost any situation that you would have to create a jail for a unsafe proccess or users. - -- ( When in doubt, use brute force. -- Ken Thompson 1998 ) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF7DF979F Comment: Fingerprint = D1DC 0AA4 1C4E EAD4 24EB 7E77 B261 50BA F7DF 979F iD8DBQFCZ5DfsmFQuvffl58RAi6FAJ4n1JeS/MCN2s7zowgWrMAzdnarowCfUQ5n sVhxoQT+nepoMnj/yYckQbs= =+Vmn -----END PGP SIGNATURE-----