Date: Wed, 4 Sep 2013 10:22:35 -0500 (CDT) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "olevole" <olevole@olevole.ru> Cc: freebsd-doc@freebsd.org, freebsd-jail@freebsd.org Subject: Re: handbook chapter for jail best practices needs for security remark Message-ID: <23025.128.135.70.2.1378308155.squirrel@cosmo.uchicago.edu> In-Reply-To: <2169287.FiyytKgDHO@gizmo.nevosoft.local> References: <2169287.FiyytKgDHO@gizmo.nevosoft.local>
next in thread | previous in thread | raw e-mail | index | archive | help
Nice observation!
Yet: for that to work both rw and ro portions mounted inside the same jail
have to be on the same filesystem. For hardlinks to work, both parts of
hardlink ("source" and "destination") should be on the same filesystem.
Even though I'm not considering myself an expert in security, I will never
have ro and rw filesystem (mounted inside the same jail) to live
physically on the same filesystem...
That said, I'm never using ezjail or some other scripts to lay out jails
for me. So, apart from making a warning in handbook (which is always
instructive and educational!), one may need to audit jail creating
scripts. I'm certain, they are good about that (and my great respects to
authors!), but taking an extra look at specific thing never hurts.
Thanks.
Valeri
On Wed, September 4, 2013 4:40 am, olevole wrote:
> Mounting directory via nullfs when RW part mounted above RO from one
> filesystem
> is insecure for RO location,
> because it allows you to edit a file by hardlink on RO place, due to the
> fact
> that the files have one inode.
>
> For example (by root user):
>
> % mkdir /usr/chroot
> % bsdinstall jail /usr/chroot
> % mount_nullfs -oro /bin /usr/chroot/bin
> % mkdir /rw
> % mount_nullfs /rw /usr/chroot/root
>
> % chroot /usr/chroot
> % touch /bin/date
> touch: /bin/date: Read-only file system
>
> % cd ~
> % ln /bin/date
> % ls -i /bin/date /root/date
> 58182 /bin/date 58182 /root/date
>
> (open /root/date in vi editor and change something)
> % vi date
> dd
> :wq!
>
> (logout from chroot)
> % exit
>
> (now /bin/date is corrupted)
> % /bin/date
> /bin/date: Exec format error. Binary file not executable.
>
> Such scheme when the RW data is overlaid above RO data is popular for jail
> hosting and described in Handbook:
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html
>
> Perhaps it is worth mentioning in the article about
> the need to separate base to cross-device storage or place it on a
> read-only
> system.
>
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
>
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23025.128.135.70.2.1378308155.squirrel>