DEVFS ruleset misbehaves with Jail
Marko Raiha
mjraiha at fade.pp.fi
Sun Nov 7 10:08:14 PST 2004
Hi,
Although this concerns only stable release with me, I mail this to
freebsd-current because I guess this propably concerns also current and
should then MFCd to STABLE.
I have configured jails with RELEN_5_3 and there seems to be some odd
behaviour when using devfs rulesets with jails. Jails do run
wonderfully, but devfs rulesets aren't. I have this kind of setup in
/etc/rc.conf:
# base system /etc/rc.conf jail settings:
# Jails
jail_enable="YES"
jail_list="mail"
jail_set_hostname_allow="NO"
jail_mail_rootdir="/jail/mail"
jail_mail_hostname="mail.example.domain"
jail_mail_ip="192.168.42.42"
jail_mail_exec="/bin/sh /etc/rc"
jail_mail_devfs_enable="YES"
jail_mail_devfs_ruleset="4"
When starting jails with "/etc/rc.d/jail start"-command I get this
error:
WARNING devfs_set_ruleset: you must specify a ruleset number
Jail is started without ruleset 4 defined in /etc/default/devfs.rules.
So, all devices are seen inside /jail/mail/dev. If this can be repeated
and confirmed to be true and not my misconfiguration then this is
clearly a security risk with jails.
devfs_set_ruleset -function is found in file /etc/rc.subr on lines
1192-1209 (FreeBSD: src/etc/rc.subr,v 1.31 2004/07/30 17:19:35 mtm Exp).
It seems that in line 1195 script evaluates ruleset incorrectly as empty
one. I am not familiar with rc-scripts but I tried this simple fix with
success:
fortytwo# diff -u /etc/rc.subr-old /etc/rc.subr-new
@@ -1192,7 +1192,7 @@
devfs_set_ruleset()
{
local devdir rs _me
- [ -n "$1" ] && eval rs=\$$1 || rs=
+ [ -n "$1" ] && eval rs=\$1 || rs=
[ -n "$2" ] && devdir="-m "$2"" || devdir=
_me="devfs_set_ruleset"
I am not sure whether bug is in this function or caller giving wrong
type of parameter. I would appreciate it if someone rc-script wizard
would check this and make proper repair.
Regards,
--
Marko Räihä
More information about the freebsd-current
mailing list