handbook chapter for jail best practices needs for security remark

olevole olevole at olevole.ru
Wed Sep 4 09:40:42 UTC 2013


Mounting directory via nullfs when RW part mounted above RO from one filesystem 
is insecure for RO location, 
because it allows you to edit a file by hardlink on RO place, due to the fact 
that the files have one inode.

For example (by root user):

% mkdir /usr/chroot
% bsdinstall jail /usr/chroot
% mount_nullfs -oro /bin /usr/chroot/bin
% mkdir /rw
% mount_nullfs /rw /usr/chroot/root

% chroot /usr/chroot
% touch /bin/date
touch: /bin/date: Read-only file system
 
% cd ~
% ln /bin/date
% ls -i /bin/date /root/date
58182 /bin/date         58182 /root/date

(open /root/date in vi editor and change something)
% vi date
dd
:wq!

(logout from chroot)
% exit

(now /bin/date is corrupted)
% /bin/date
/bin/date: Exec format error. Binary file not executable.

Such scheme when the RW data is overlaid above RO data is popular for jail 
hosting and described in Handbook:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html

Perhaps it is worth mentioning in the article about 
the need to separate base to cross-device storage or place it on a read-only 
system.



More information about the freebsd-doc mailing list