Date: Tue, 17 May 2011 22:17:12 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: sbruno@freebsd.org Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: NFS mount inside jail fails Message-ID: <20110517221712.00006e91@unknown> In-Reply-To: <1305662200.2633.11.camel@hitfishpass-lx.corp.yahoo.com> References: <1305662200.2633.11.camel@hitfishpass-lx.corp.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 17 May 2011 12:56:40 -0700 Sean Bruno <seanbru@yahoo-inc.com> wrote: > Silly thing I ran into today. User wanted to NFS mount a dir inside a > jail. After I groaned about the security implication of this, I noted > that there is a sysctl that looks like it should allow this. Namely, > security.jail.mount_allowed. I noted that setting this follows a path > that *should* have allowed this silly thing to happen, except that the > credentials in the nfsclient were not setup correctly. As you noticed, this is supposed to allow to mount inside a jail, IF the FS you want to mount is marked as secure/safe to do so. Nearly no FS is marked as such, as nobody wants to guarantee that it is safe (root in a jail should not be able to panic a system by trying to mount a corrupt/malicious FS-image) and secure (not possible to get elevated access/privileges). For NFS there is theoretically the problem that the outgoing address on requests could be the one of the physical host instead of the IP of the jail. If this is true in practice, I do not know. This could be the reason why NFS is not marked with VFCF_JAIL. Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110517221712.00006e91>