handbook chapter for jail best practices needs for security remark

Valeri Galtsev galtsev at kicp.uchicago.edu
Wed Sep 4 15:22:42 UTC 2013

Nice observation!

Yet: for that to work both rw and ro portions mounted inside the same jail
have to be on the same filesystem. For hardlinks to work, both parts of
hardlink ("source" and "destination") should be on the same filesystem.
Even though I'm not considering myself an expert in security, I will never
have ro and rw filesystem (mounted inside the same jail) to live
physically on the same filesystem...

That said, I'm never using ezjail or some other scripts to lay out jails
for me. So, apart from making a warning in handbook (which is always
instructive and educational!), one may need to audit jail creating
scripts. I'm certain, they are good about that (and my great respects to
authors!), but taking an extra look at specific thing never hurts.


On Wed, September 4, 2013 4:40 am, olevole wrote:
> Mounting directory via nullfs when RW part mounted above RO from one
> filesystem
> is insecure for RO location,
> because it allows you to edit a file by hardlink on RO place, due to the
> fact
> that the files have one inode.
> For example (by root user):
> % mkdir /usr/chroot
> % bsdinstall jail /usr/chroot
> % mount_nullfs -oro /bin /usr/chroot/bin
> % mkdir /rw
> % mount_nullfs /rw /usr/chroot/root
> % chroot /usr/chroot
> % touch /bin/date
> touch: /bin/date: Read-only file system
> % cd ~
> % ln /bin/date
> % ls -i /bin/date /root/date
> 58182 /bin/date         58182 /root/date
> (open /root/date in vi editor and change something)
> % vi date
> dd
> :wq!
> (logout from chroot)
> % exit
> (now /bin/date is corrupted)
> % /bin/date
> /bin/date: Exec format error. Binary file not executable.
> Such scheme when the RW data is overlaid above RO data is popular for jail
> hosting and described in Handbook:
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html
> Perhaps it is worth mentioning in the article about
> the need to separate base to cross-device storage or place it on a
> read-only
> system.
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

More information about the freebsd-doc mailing list