misc/103489: [patch] named_chroot_autoupdate doesn't work in a jail
Jeremie Le Hen
jeremie at le-hen.org
Fri Sep 22 08:40:28 PDT 2006
>Number: 103489
>Category: misc
>Synopsis: [patch] named_chroot_autoupdate doesn't work in a jail
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Sep 22 15:40:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Jeremie Le Hen
>Release: FreeBSD 6.1-STABLE i386
>Organization:
>Environment:
System: FreeBSD obiwan 6.1-STABLE FreeBSD 6.1-STABLE #8: Sun Jun 25 18:27:14 CEST 2006 root at obiwan:/usr/obj/usr/src/sys/OBIWAN i386
>Description:
rc.d/named's chroot_autoupdate() unconditionnaly tries to mount devfs.
This is obviously not possible inside a jail. Though already jailed,
one might want to run a chrooted named(8) inside a jail, in order to
hinder a possible bug exploitation.
This patch test the security.jail.jailed sysctl before performing the
devfs stuff.
Note this patch doesn't yet allow the user to run a chrooted named(8)
inside a jail ; it must come along with PR misc/103486.
>How-To-Repeat:
Straightforward, see description.
>Fix:
Index: named
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/named,v
retrieving revision 1.26
diff -u -p -u -p -r1.26 named
--- named 20 Apr 2006 12:30:12 -0000 1.26
+++ named 22 Sep 2006 15:23:45 -0000
@@ -59,10 +59,12 @@ chroot_autoupdate()
# Mount a devfs in the chroot directory if needed
#
- umount ${named_chrootdir}/dev 2>/dev/null
- devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
- devfs -m ${named_chrootdir}/dev rule apply path null unhide
- devfs -m ${named_chrootdir}/dev rule apply path random unhide
+ if [ `sysctl -n security.jail.jailed` = 0 ]; then
+ umount ${named_chrootdir}/dev 2>/dev/null
+ devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
+ devfs -m ${named_chrootdir}/dev rule apply path null unhide
+ devfs -m ${named_chrootdir}/dev rule apply path random unhide
+ fi
# Copy local timezone information if it is not up to date.
#
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list