Access to system extattrs from withing a jail
Andriy Syrovenko
andriys at gmail.com
Sun May 27 20:32:46 UTC 2012
Hello,
Current implementation of FreeBSD jails does not allow access to
extattrs in system namespace from within a jail. I think, however,
that there are cases when it is desirable to allow jailed root to
access and modify system extended attributes. One case is running
jailed Samba, which, under certain circumstances, may store
information in system extended attributes.
Please find attached two patches, that solve this issue for me. They
add additional jail parameter "allow.extattr_system". Being set to 1
this parameter allows jailed root to access and manipulate extattrs in
the system namespace. I've tested the patches on 9.0-RELEASE.
Are there any security concerns I may have overlooked? Are there any
chance to see these patches commited to base?
Best regards,
Andrey.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jail_extaddr_system_kern.patch
Type: application/octet-stream
Size: 2278 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20120527/db37eb1a/jail_extaddr_system_kern.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jail_extaddr_system_user.patch
Type: application/octet-stream
Size: 492 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20120527/db37eb1a/jail_extaddr_system_user.obj
More information about the freebsd-jail
mailing list