From owner-freebsd-stable@FreeBSD.ORG Wed May 26 06:23:25 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6582B1065673; Wed, 26 May 2010 06:23:25 +0000 (UTC) (envelope-from eugene@imedia.ru) Received: from lynx.imedia.ru (lynx.imedia.ru [212.65.64.254]) by mx1.freebsd.org (Postfix) with ESMTP id ADC9A8FC1A; Wed, 26 May 2010 06:23:24 +0000 (UTC) Received: from badger.imedia.ru (root@badger.imedia.ru [10.167.1.243]) by lynx.imedia.ru (8.14.3/8.14.3/TWINS7_LDAP) with ESMTP id o4Q6NMpE079157; Wed, 26 May 2010 10:23:22 +0400 (MSD) (envelope-from eugene@imedia.ru) Received: from badger.imedia.ru (eugene@localhost [127.0.0.1]) by badger.imedia.ru (8.14.3/8.13.1) with ESMTP id o4Q6NMIp066844; Wed, 26 May 2010 10:23:22 +0400 (MSD) (envelope-from eugene@imedia.ru) Received: from localhost (localhost [[UNIX: localhost]]) by badger.imedia.ru (8.14.3/8.13.8/Submit) id o4Q6NMSQ066843; Wed, 26 May 2010 10:23:22 +0400 (MSD) (envelope-from eugene@imedia.ru) From: Eugene Mitrofanov Organization: Independent Media Sanoma Magazines To: Pawel Jakub Dawidek Date: Wed, 26 May 2010 10:23:21 +0400 User-Agent: KMail/1.9.10 References: <201005251235.19833.eugene@imedia.ru> <20100525190942.GD1659@garage.freebsd.pl> In-Reply-To: <20100525190942.GD1659@garage.freebsd.pl> X-Origin: badger.imedia.ru MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <201005261023.22291.eugene@imedia.ru> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (lynx.imedia.ru [10.167.0.252]); Wed, 26 May 2010 10:23:22 +0400 (MSD) X-Virus-Scanned: clamav-milter 0.96-exp at lynx.imedia.ru X-Virus-Status: Clean Cc: freebsd-fs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: FreeBSD 8.1 prerelease "security.jail.mount_allowed" is broken? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eugene Mitrofanov List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 May 2010 06:23:25 -0000 On Tuesday 25 May 2010, Pawel Jakub Dawidek wrote: > On Tue, May 25, 2010 at 12:35:19PM +0400, Eugene Mitrofanov wrote: > > Hello > > > > I try to do mount from a jail but it failed. Could you advise me where is my > > mistake? > > > > root@ftp:eugene# uname -mrs > > FreeBSD 8.1-PRERELEASE amd64 > > root@ftp:eugene# sysctl -a | grep -E '(jailed|mount)' > > vfs.usermount: 1 > > vfs.ffs.compute_summary_at_mount: 0 > > security.jail.mount_allowed: 1 > > security.jail.jailed: 1 > > root@ftp:eugene# mount /dev/da2s2a /var/t > > mount: /dev/da2s2a : Operation not permitted > > root@ftp:eugene# mount /dev/md1 /var/t > > mount: /dev/md1 : Operation not permitted > > root@ftp:eugene# mount /dev/zvol/tank/ftp.journal /var/t > > mount: /dev/zvol/tank/ftp.journal : Operation not permitted > > You can only mount jail-friendly file systems - those with 'jail' > keyword in lsvfs(1) output. Unfortunately, it seems for me that 'zfs mount' is also broken in 8.1PRE (zpool ver 14). "zfs jail 4 tank" is executing successfully but the word 'jail' does not meet in the 'man zfs' anymore and 'zfs set jailed=on tank' is failed with the error "property 'jailed' not supported on FreeBSD: permission denied". "zfs mount" from jail also failed: root@ftp:eugene# sysctl security.jail.jailed security.jail.jailed: 1 root@ftp:eugene# zfs mount tank/test cannot mount 'tank/test': permission denied > What you tried can't be safe. Imagine creating corrupted file system on > da2s2a and mounting it. It will panic entire system, not only your jail. -- EMIT-RIPN, EVM7-RIPE