From owner-freebsd-hackers@FreeBSD.ORG Tue May 17 20:17:27 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99BA91065674 for ; Tue, 17 May 2011 20:17:27 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 3C9E08FC12 for ; Tue, 17 May 2011 20:17:27 +0000 (UTC) Received: from outgoing.leidinger.net (p5B155F90.dip.t-dialin.net [91.21.95.144]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id EC6D784401B; Tue, 17 May 2011 22:17:12 +0200 (CEST) Received: from unknown (IO.Leidinger.net [192.168.2.110]) by outgoing.leidinger.net (Postfix) with ESMTP id 397FD257A; Tue, 17 May 2011 22:17:10 +0200 (CEST) Date: Tue, 17 May 2011 22:17:12 +0200 From: Alexander Leidinger To: sbruno@freebsd.org Message-ID: <20110517221712.00006e91@unknown> In-Reply-To: <1305662200.2633.11.camel@hitfishpass-lx.corp.yahoo.com> References: <1305662200.2633.11.camel@hitfishpass-lx.corp.yahoo.com> X-Mailer: Claws Mail 3.7.8cvs47 (GTK+ 2.16.6; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: EC6D784401B.A1C6C X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-1, required 6, autolearn=disabled, ALL_TRUSTED -1.00) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1306268234.89759@asVXUHfWskZwec+Av05vCg X-EBL-Spam-Status: No X-Mailman-Approved-At: Tue, 17 May 2011 21:12:42 +0000 Cc: "freebsd-hackers@freebsd.org" Subject: Re: NFS mount inside jail fails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2011 20:17:27 -0000 On Tue, 17 May 2011 12:56:40 -0700 Sean Bruno wrote: > Silly thing I ran into today. User wanted to NFS mount a dir inside a > jail. After I groaned about the security implication of this, I noted > that there is a sysctl that looks like it should allow this. Namely, > security.jail.mount_allowed. I noted that setting this follows a path > that *should* have allowed this silly thing to happen, except that the > credentials in the nfsclient were not setup correctly. As you noticed, this is supposed to allow to mount inside a jail, IF the FS you want to mount is marked as secure/safe to do so. Nearly no FS is marked as such, as nobody wants to guarantee that it is safe (root in a jail should not be able to panic a system by trying to mount a corrupt/malicious FS-image) and secure (not possible to get elevated access/privileges). For NFS there is theoretically the problem that the outgoing address on requests could be the one of the physical host instead of the IP of the jail. If this is true in practice, I do not know. This could be the reason why NFS is not marked with VFCF_JAIL. Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137