Date: Mon, 22 Sep 2008 21:14:43 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup Message-ID: <48D7EEA3.4040504@quip.cz> In-Reply-To: <20080922155111.T65801@maildrop.int.zabbadoz.net> References: <Pine.BSF.4.64.0809220809440.16549@tdream.lly.earlham.edu> <20080922155111.T65801@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb wrote: > On Mon, 22 Sep 2008, Randy Schultz wrote: > > Hi, > >> I'm mounting some iSCSI storage in a jail. It's mounting in the jail via >> fstab.<jailname>. When the jail is up and I'm logged into the jail I >> can cd >> to the mount point, r/w etc., everything seems to work. What's weird >> tho' is, >> while a df on the parent shows the partion mounted as expected, a df >> inside >> the jail shows the local disk but not the iSCSI mount. >> ... >> So, my first question is what am I missing, the second is does >> mounting things >> this way into a jail pose any sort of risk for escaping the jail? > > > Does anything change if you do a > sysctl security.jail.enforce_statfs=1 > > If that's what you want you can add the following lines to > /etc/sysctl.conf in the base system so it is automatically set upon > boot: > > # jails > security.jail.enforce_statfs=1 Have this any impact on security? # sysctl -d security.jail.enforce_statfs security.jail.enforce_statfs: Processes in jail cannot see all mounted file systems For what this sysctl is implemented? Thanks Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D7EEA3.4040504>