UNIX domain sockets on nullfs still broken?

Alexander Leidinger Alexander at Leidinger.net
Thu Dec 3 07:56:06 UTC 2009 

Quoting Julian Elischer <julian at elischer.org> (from Wed, 02 Dec 2009  
09:43:25 -0800):

> Alexander Leidinger wrote:
>> Quoting Linda Messerschmidt <linda.messerschmidt at gmail.com> (from  
>> Tue, 1 Dec 2009 10:22:02 -0500):
>>
>>> On Mon, Nov 30, 2009 at 10:14 AM, Ivan Voras <ivoras at freebsd.org> wrote:
>>>>> What's the sane solution, then, when the only method of communication
>>>>> is unix domain sockets?
>>>>
>>>> It is a security problem. I think the long-term solution would be to add a
>>>> sysctl analogous to security.jail.param.securelevel to handle this.
>>>
>>> Out of curiosity, why is allowing accessing to a Unix domain socket in
>>> a filesystem to which a jail has explicitly been allowed access more
>>> or less secure than allowing access to a file or a devfs node in a
>>> filesystem to which a jail has explicitly been allowed access?
>>
>> Answer A: There is no difference.
>>
>> Answer B: You open up a direct communication channel between two  
>> systems, which may not have been able to communicate before  
>> (firewall rules, ...). With files you can do something similar too,  
>> but having a socket there makes it more easy and you do not need to  
>> write extra code. It is similar to enabling SHM access in jails  
>> (currently all jails share the same SHM area). And depending on the  
>> application with the socket, you may be able to change files on the  
>> other side, to which you do not have access to otherwise (think  
>> about a daemon which changes passwords...).
>
> I have used chroots and jails in a way that relies on the ability of a
> shared unix domain pipe being usable to communicate between them, and
> I also see why it may not be good.

What worries me is, that it seems from comments in this thread, that  
nullfs is having a tighter security regarding jails than UFS/ZFS. I  
think all should work consistently in this regard (which would mean  
there will be a regression for some people if we switch UFS/ZFS to  
work in the same way).

> I suggest that the ability to do so might be somehow controllable by
> the jail creator in some way.
>
>>
>> Answer A is good if you control what is run where and how, and if  
>> you use jails for easy data migration and program separation  
>> (lightweight virtualization).
>>
>> Answer B is valid if you are an ISP which rents jails (in this case  
>> you do not share a FS read-write anyway (at leat you shouldn't) and  
>> the point does not really matter).
>>
>> Pick the answer depending on your viewpoint / security requirements  
>> and the software you are using.
>>
>> As both points are valid, we should provide the possibility to have  
>> both situations working.
>
> yes please.
>  A sysctl would do at a pinch, but maybe a per-jail setting might be  
> possible too.

Per-Jail is not a problem, I just need to know where the priv check is  
which is causing this behavior (so far I thought it is some limitation  
of nullfs and not a priv check). So far I hadn't the time to search  
for it, I want to finish the import of v4l in the linuxulator first.

Bye,
Alexander.

-- 
BOFH excuse #102:

Power company testing new voltage spike (creation) equipment

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137

More information about the freebsd-hackers mailing list