NFS mount inside jail fails
Julian Elischer
julian at freebsd.org
Tue May 17 23:14:17 UTC 2011
On 5/17/11 1:17 PM, Alexander Leidinger wrote:
> On Tue, 17 May 2011 12:56:40 -0700 Sean Bruno<seanbru at yahoo-inc.com>
> wrote:
>
>> Silly thing I ran into today. User wanted to NFS mount a dir inside a
>> jail. After I groaned about the security implication of this, I noted
>> that there is a sysctl that looks like it should allow this. Namely,
>> security.jail.mount_allowed. I noted that setting this follows a path
>> that *should* have allowed this silly thing to happen, except that the
>> credentials in the nfsclient were not setup correctly.
> As you noticed, this is supposed to allow to mount inside a jail, IF
> the FS you want to mount is marked as secure/safe to do so. Nearly no
> FS is marked as such, as nobody wants to guarantee that it is safe
> (root in a jail should not be able to panic a system by trying to
> mount a corrupt/malicious FS-image) and secure (not possible to get
> elevated access/privileges).
>
> For NFS there is theoretically the problem that the outgoing address on
> requests could be the one of the physical host instead of the IP of the
> jail. If this is true in practice, I do not know. This could be
> the reason why NFS is not marked with VFCF_JAIL.
a vimage jail would not have that problem if we've done it right.
> Bye,
> Alexander.
>
More information about the freebsd-hackers
mailing list