Re: request for (security) comments on this setup
On Mon, 22 Sep 2008, Randy Schultz wrote: Hi, I'm mounting some iSCSI storage in a jail. It's mounting in the jail via fstab.jailname. When the jail is up and I'm logged into the jail I can cd to the mount point, r/w etc., everything seems to work. What's weird tho' is, while a df on the parent shows the partion mounted as expected, a df inside the jail shows the local disk but not the iSCSI mount. ... So, my first question is what am I missing, the second is does mounting things this way into a jail pose any sort of risk for escaping the jail? Does anything change if you do a sysctl security.jail.enforce_statfs=1 If that's what you want you can add the following lines to /etc/sysctl.conf in the base system so it is automatically set upon boot: # jails security.jail.enforce_statfs=1 /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: request for (security) comments on this setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miroslav Lachman wrote: Bjoern A. Zeeb wrote: On Mon, 22 Sep 2008, Randy Schultz wrote: Hi, I'm mounting some iSCSI storage in a jail. It's mounting in the jail via fstab.jailname. When the jail is up and I'm logged into the jail I can cd to the mount point, r/w etc., everything seems to work. What's weird tho' is, while a df on the parent shows the partion mounted as expected, a df inside the jail shows the local disk but not the iSCSI mount. ... So, my first question is what am I missing, the second is does mounting things this way into a jail pose any sort of risk for escaping the jail? Does anything change if you do a sysctl security.jail.enforce_statfs=1 If that's what you want you can add the following lines to /etc/sysctl.conf in the base system so it is automatically set upon boot: # jails security.jail.enforce_statfs=1 Have this any impact on security? # sysctl -d security.jail.enforce_statfs security.jail.enforce_statfs: Processes in jail cannot see all mounted file systems For what this sysctl is implemented? Thanks Miroslav Lachman Hi Miroslav, - From the jail(8) man page: security.jail.enforce_statfs This MIB entry determines which information processes in a jail are able to get about mount-points. It affects the behaviour of the following syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2) (as well as similar compatibility syscalls). When set to 0, all mount-points are available without any restrictions. When set to 1, only mount-points below the jail's chroot directory are visible. In addition to that, the path to the jail's chroot direc- tory is removed from the front of their pathnames. When set to 2 (default), above syscalls can operate only on a mount-point where the jail's chroot directory is located. Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI1/dW0sRouByUApARAn8jAKC7BV/WcYK9jD0u8rT78dKpUxxKTgCeKu5v 6Z1BxjUUhlNPeszk+JCNDOg= =ja/n -END PGP SIGNATURE- ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: request for (security) comments on this setup
Greg Larkin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miroslav Lachman wrote: Bjoern A. Zeeb wrote: On Mon, 22 Sep 2008, Randy Schultz wrote: Hi, I'm mounting some iSCSI storage in a jail. It's mounting in the jail via fstab.jailname. When the jail is up and I'm logged into the jail I can cd to the mount point, r/w etc., everything seems to work. What's weird tho' is, while a df on the parent shows the partion mounted as expected, a df inside the jail shows the local disk but not the iSCSI mount. ... So, my first question is what am I missing, the second is does mounting things this way into a jail pose any sort of risk for escaping the jail? Does anything change if you do a sysctl security.jail.enforce_statfs=1 If that's what you want you can add the following lines to /etc/sysctl.conf in the base system so it is automatically set upon boot: # jails security.jail.enforce_statfs=1 Have this any impact on security? # sysctl -d security.jail.enforce_statfs security.jail.enforce_statfs: Processes in jail cannot see all mounted file systems For what this sysctl is implemented? Thanks Miroslav Lachman Hi Miroslav, - From the jail(8) man page: security.jail.enforce_statfs This MIB entry determines which information processes in a jail are able to get about mount-points. It affects the behaviour of the following syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2) (as well as similar compatibility syscalls). When set to 0, all mount-points are available without any restrictions. When set to 1, only mount-points below the jail's chroot directory are visible. In addition to that, the path to the jail's chroot direc- tory is removed from the front of their pathnames. When set to 2 (default), above syscalls can operate only on a mount-point where the jail's chroot directory is located. Hope that helps, Greg Thank you, I forgot to open jail(8) man page before posting :) If I understand it correct - it is just about what informations (about mountpoints) are visible to processes inside jail without any security impact and it is safe to use security.jail.enforce_statfs=1. Am I right? (I am sorry for maybe dump questions, but I am not kernel/OS developer and statfs, fstatfs, getfsstat did not tell me much) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: request for (security) comments on this setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miroslav Lachman wrote: Greg Larkin wrote: [...] Hi Miroslav, - From the jail(8) man page: security.jail.enforce_statfs This MIB entry determines which information processes in a jail are able to get about mount-points. It affects the behaviour of the following syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2) (as well as similar compatibility syscalls). When set to 0, all mount-points are available without any restrictions. When set to 1, only mount-points below the jail's chroot directory are visible. In addition to that, the path to the jail's chroot direc- tory is removed from the front of their pathnames. When set to 2 (default), above syscalls can operate only on a mount-point where the jail's chroot directory is located. Hope that helps, Greg Thank you, I forgot to open jail(8) man page before posting :) If I understand it correct - it is just about what informations (about mountpoints) are visible to processes inside jail without any security impact and it is safe to use security.jail.enforce_statfs=1. Am I right? (I am sorry for maybe dump questions, but I am not kernel/OS developer and statfs, fstatfs, getfsstat did not tell me much) No worries - I did a little experiment with a jail I have running to show you what the jail can see for different settings of the sysctl: - --- enforce_statfs=2 (default) [EMAIL PROTECTED] ~]$ df Filesystem 1K-blocksUsed Avail Capacity Mounted on /dev/da1s1d 8119416 6401772 106809286%/ - --- enforce_statfs=1 [EMAIL PROTECTED] ~]$ df Filesystem 1K-blocksUsed Avail Capacity Mounted on /dev/da1s1d 8119416 6401772 106809286%/ devfs 1 1 0 100%/dev procfs 4 4 0 100%/proc - --- enforce_statfs=0 [EMAIL PROTECTED] ~]$ df Filesystem 1K-blocksUsed Avail Capacity Mounted on /dev/da0s1a507630 46858 42016210%/ devfs 1 1 0 100%/dev /dev/da0s1e444142 91984 31662823%/tmp /dev/da0s1g 5074328 985860 368252221%/usr /dev/da0s1d 63214 20352 3780635%/usr/home /dev/da0s1f 1012974 280278 65166030%/var /dev/da1s1d 8119416 6401772 106809286%/SHN /dev/da3s1d 2025328 1128128 73517461%/usr/ports /dev/da2s1d 2025328 444708 141859424%/usr/src devfs 1 1 0 100%/var/named/dev devfs 1 1 0 100%/SHN/Jails/Jail3/dev procfs 4 4 0 100%/SHN/Jails/Jail3/proc It looks like setting 1 or 2 is sufficient for programs executing in the jail. If the sysctl is set to 0, you can see the filesystems on the host server, but you still can't access them, as far as I can tell. Regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI2Bqg0sRouByUApARAgEMAJwLD3pvD66vwnSIPst+Xnir5UYDhACgoNat +WeCH3jD8R3lxvYoX3xYwnE= =i8Rd -END PGP SIGNATURE- ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
