From owner-freebsd-hackers@FreeBSD.ORG Tue May 17 23:14:17 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84EA71065675 for ; Tue, 17 May 2011 23:14:17 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 549C08FC0C for ; Tue, 17 May 2011 23:14:17 +0000 (UTC) Received: from julian-mac.elischer.org (home-nat.elischer.org [67.100.89.137]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id p4HNEEgo098011 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 17 May 2011 16:14:15 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <4DD30142.4010103@freebsd.org> Date: Tue, 17 May 2011 16:14:10 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: Alexander Leidinger References: <1305662200.2633.11.camel@hitfishpass-lx.corp.yahoo.com> <20110517221712.00006e91@unknown> In-Reply-To: <20110517221712.00006e91@unknown> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-hackers@freebsd.org" Subject: Re: NFS mount inside jail fails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2011 23:14:17 -0000 On 5/17/11 1:17 PM, Alexander Leidinger wrote: > On Tue, 17 May 2011 12:56:40 -0700 Sean Bruno > wrote: > >> Silly thing I ran into today. User wanted to NFS mount a dir inside a >> jail. After I groaned about the security implication of this, I noted >> that there is a sysctl that looks like it should allow this. Namely, >> security.jail.mount_allowed. I noted that setting this follows a path >> that *should* have allowed this silly thing to happen, except that the >> credentials in the nfsclient were not setup correctly. > As you noticed, this is supposed to allow to mount inside a jail, IF > the FS you want to mount is marked as secure/safe to do so. Nearly no > FS is marked as such, as nobody wants to guarantee that it is safe > (root in a jail should not be able to panic a system by trying to > mount a corrupt/malicious FS-image) and secure (not possible to get > elevated access/privileges). > > For NFS there is theoretically the problem that the outgoing address on > requests could be the one of the physical host instead of the IP of the > jail. If this is true in practice, I do not know. This could be > the reason why NFS is not marked with VFCF_JAIL. a vimage jail would not have that problem if we've done it right. > Bye, > Alexander. >