NFS mount inside jail fails

Pawel Jakub Dawidek pjd at FreeBSD.org
Wed May 18 14:03:54 UTC 2011 

On Tue, May 17, 2011 at 10:17:12PM +0200, Alexander Leidinger wrote:
> On Tue, 17 May 2011 12:56:40 -0700 Sean Bruno <seanbru at yahoo-inc.com>
> wrote:
> 
> > Silly thing I ran into today.  User wanted to NFS mount a dir inside a
> > jail.  After I groaned about the security implication of this, I noted
> > that there is a sysctl that looks like it should allow this.  Namely,
> > security.jail.mount_allowed.  I noted that setting this follows a path
> > that *should* have allowed this silly thing to happen, except that the
> > credentials in the nfsclient were not setup correctly.
> 
> As you noticed, this is supposed to allow to mount inside a jail, IF
> the FS you want to mount is marked as secure/safe to do so. Nearly no
> FS is marked as such, as nobody wants to guarantee that it is safe
> (root in a jail should not be able to panic a system by trying to
> mount a corrupt/malicious FS-image) and secure (not possible to get
> elevated access/privileges).
> 
> For NFS there is theoretically the problem that the outgoing address on
> requests could be the one of the physical host instead of the IP of the
> jail. If this is true in practice, I do not know. This could be
> the reason why NFS is not marked with VFCF_JAIL.

It is not marked with VFCF_JAIL, because I just had no time to audit
that it is safe. It might be safe in theory.

There are some file systems types that can't be securely mounted within
a jail no matter what, like UFS, MSDOFS, EXTFS, XFS, REISERFS, NTFS,
etc.  because the user mounting it has access to raw storage and can
corrupt it in a way that it will panic entire system.

There are other file systems that don't require access to raw storage
for the user doing the mount and chances are they are safe to mount from
within a jail, like ZFS (user can have access to ZFS datasets, but don't
need access to ZFS pool), NFS, SMBFS, NULLFS, UNIONFS, PROCFS, FDESCFS,
etc. I added VFCF_JAIL flag, so there is general mechanism to mark file
systems as jail-friendly, but back then I only needed it for ZFS.

-- 
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://yomoli.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20110518/47a95cde/attachment.pgp

More information about the freebsd-hackers mailing list