gmirror security problem on jail env?

Oliver Fromme olli at
Mon May 7 10:17:18 UTC 2007

Manuel Martini wrote:
 > # sysctl -a | grep jail
 > [...]
 > security.jail.jailed: 1
 > # df
 > Filesystem         1K-blocks     Used     Avail Capacity  Mounted on
 > /dev/mirror/gm0s1g 129719744 17056610 102285556    14%    /
 > # gmirror status
 >        Name    Status  Components
 > mirror/gm0  COMPLETE  da0
 > so I think I can do...
 > gmirror remove.. stop.. deactive...

No, you can do "status" and "list", but everything else
should result in "permission denied".  Note that you can
do "gmirror status" and "gmirror list" as normal user,
even as user nobody.  It doesn't require any special
privileges, so it works in jails, too.  In fact, you
can get the geom status (in XML format) with the command
"sysctl -b kern.geom.confxml".

Unfortunately there is currently no easy way to suppress
that information.  If you don't want jailed users to be
able to see your geom configuration, you need to modify
the kernel source code.

Best regards

Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:

"I started using PostgreSQL around a month ago, and the feeling is
similar to the switch from Linux to FreeBSD in '96 -- 'wow!'."
        -- Oddbjorn Steffensen

More information about the freebsd-stable mailing list