Date: Tue, 17 May 2011 16:14:10 -0700 From: Julian Elischer <julian@freebsd.org> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: NFS mount inside jail fails Message-ID: <4DD30142.4010103@freebsd.org> In-Reply-To: <20110517221712.00006e91@unknown> References: <1305662200.2633.11.camel@hitfishpass-lx.corp.yahoo.com> <20110517221712.00006e91@unknown>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/17/11 1:17 PM, Alexander Leidinger wrote: > On Tue, 17 May 2011 12:56:40 -0700 Sean Bruno<seanbru@yahoo-inc.com> > wrote: > >> Silly thing I ran into today. User wanted to NFS mount a dir inside a >> jail. After I groaned about the security implication of this, I noted >> that there is a sysctl that looks like it should allow this. Namely, >> security.jail.mount_allowed. I noted that setting this follows a path >> that *should* have allowed this silly thing to happen, except that the >> credentials in the nfsclient were not setup correctly. > As you noticed, this is supposed to allow to mount inside a jail, IF > the FS you want to mount is marked as secure/safe to do so. Nearly no > FS is marked as such, as nobody wants to guarantee that it is safe > (root in a jail should not be able to panic a system by trying to > mount a corrupt/malicious FS-image) and secure (not possible to get > elevated access/privileges). > > For NFS there is theoretically the problem that the outgoing address on > requests could be the one of the physical host instead of the IP of the > jail. If this is true in practice, I do not know. This could be > the reason why NFS is not marked with VFCF_JAIL. a vimage jail would not have that problem if we've done it right. > Bye, > Alexander. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DD30142.4010103>