Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Dec 2009 10:59:20 +0100
From:      Ivan Voras <ivoras@freebsd.org>
To:        Robert Watson <rwatson@freebsd.org>
Cc:        freebsd-hackers@freebsd.org, Linda Messerschmidt <linda.messerschmidt@gmail.com>
Subject:   Re: UNIX domain sockets on nullfs still broken?
Message-ID:  <9bbcef730912100159s49704c18o1225d060c422b273@mail.gmail.com>
In-Reply-To: <alpine.BSF.2.00.0912100943450.23303@fledge.watson.org>
References:  <20091130142950.GA86528@logik.internal.network>  <hf0lle$5mk$1@ger.gmane.org> <20091130150127.GA82188@logik.internal.network>  <hf0ngp$cpb$1@ger.gmane.org> <237c27100912010722g2f6c4647ga82370284bc26e20@mail.gmail.com>  <alpine.BSF.2.00.0912100943450.23303@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
2009/12/10 Robert Watson <rwatson@freebsd.org>:
>
> On Tue, 1 Dec 2009, Linda Messerschmidt wrote:
>
>> On Mon, Nov 30, 2009 at 10:14 AM, Ivan Voras <ivoras@freebsd.org> wrote:
>>>>
>>>> What's the sane solution, then, when the only method of communication
>>>> is unix domain sockets?
>>>
>>> It is a security problem. I think the long-term solution would be to ad=
d
>>> a
>>> sysctl analogous to security.jail.param.securelevel to handle this.
>>
>> Out of curiosity, why is allowing accessing to a Unix domain socket in a
>> filesystem to which a jail has explicitly been allowed access more or le=
ss
>> secure than allowing access to a file or a devfs node in a filesystem to
>> which a jail has explicitly been allowed access?
>
> (I seem to have caught this thread rather late in the game due to being o=
n
> travel) -- Ivan is wrong about nullfs, it's broken due to a bug, not a
> feature, and that bug is not present when using a single file system. =C2=
=A0He's
> thinking of unionfs semantics, where if it worked it would be a bug. =C2=
=A0:-)

You have a point there. I was actually thinking more of sysvshm -
which doesn't have anything to do with any of the issues here - but
has some of the same properties (and is also used by databases - e.g.
postgresql, which I'm using daily so it sort of cross-linked). The
reason I'd like the nullfs barrier kept is that it (like shm) is used
for IPC, and in this case, IPC across different jails (though a file
system itself also be used so...). It's not a big issue - I'll also
accept that it's the operator's fault if he doesn't know sharing file
systems will also share sockets and fifos on it...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9bbcef730912100159s49704c18o1225d060c422b273>