handbook chapter for jail best practices needs for security remark
olevole
olevole at olevole.ru
Wed Sep 4 09:40:42 UTC 2013
Mounting directory via nullfs when RW part mounted above RO from one filesystem
is insecure for RO location,
because it allows you to edit a file by hardlink on RO place, due to the fact
that the files have one inode.
For example (by root user):
% mkdir /usr/chroot
% bsdinstall jail /usr/chroot
% mount_nullfs -oro /bin /usr/chroot/bin
% mkdir /rw
% mount_nullfs /rw /usr/chroot/root
% chroot /usr/chroot
% touch /bin/date
touch: /bin/date: Read-only file system
% cd ~
% ln /bin/date
% ls -i /bin/date /root/date
58182 /bin/date 58182 /root/date
(open /root/date in vi editor and change something)
% vi date
dd
:wq!
(logout from chroot)
% exit
(now /bin/date is corrupted)
% /bin/date
/bin/date: Exec format error. Binary file not executable.
Such scheme when the RW data is overlaid above RO data is popular for jail
hosting and described in Handbook:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html
Perhaps it is worth mentioning in the article about
the need to separate base to cross-device storage or place it on a read-only
system.
More information about the freebsd-doc
mailing list