gmirror security problem on jail env?
Oliver Fromme
olli at lurza.secnetix.de
Mon May 7 10:17:18 UTC 2007
Manuel Martini wrote:
> # sysctl -a | grep jail
> [...]
> security.jail.jailed: 1
> # df
> Filesystem 1K-blocks Used Avail Capacity Mounted on
> /dev/mirror/gm0s1g 129719744 17056610 102285556 14% /
> # gmirror status
> Name Status Components
> mirror/gm0 COMPLETE da0
>
> so I think I can do...
> gmirror remove.. stop.. deactive...
No, you can do "status" and "list", but everything else
should result in "permission denied". Note that you can
do "gmirror status" and "gmirror list" as normal user,
even as user nobody. It doesn't require any special
privileges, so it works in jails, too. In fact, you
can get the geom status (in XML format) with the command
"sysctl -b kern.geom.confxml".
Unfortunately there is currently no easy way to suppress
that information. If you don't want jailed users to be
able to see your geom configuration, you need to modify
the kernel source code.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"I started using PostgreSQL around a month ago, and the feeling is
similar to the switch from Linux to FreeBSD in '96 -- 'wow!'."
-- Oddbjorn Steffensen
More information about the freebsd-stable
mailing list