request for (security) comments on this setup
Miroslav Lachman
000.fbsd at quip.cz
Mon Sep 22 19:14:14 UTC 2008
Bjoern A. Zeeb wrote:
> On Mon, 22 Sep 2008, Randy Schultz wrote:
>
> Hi,
>
>> I'm mounting some iSCSI storage in a jail. It's mounting in the jail via
>> fstab.<jailname>. When the jail is up and I'm logged into the jail I
>> can cd
>> to the mount point, r/w etc., everything seems to work. What's weird
>> tho' is,
>> while a df on the parent shows the partion mounted as expected, a df
>> inside
>> the jail shows the local disk but not the iSCSI mount.
>> ...
>> So, my first question is what am I missing, the second is does
>> mounting things
>> this way into a jail pose any sort of risk for escaping the jail?
>
>
> Does anything change if you do a
> sysctl security.jail.enforce_statfs=1
>
> If that's what you want you can add the following lines to
> /etc/sysctl.conf in the base system so it is automatically set upon
> boot:
>
> # jails
> security.jail.enforce_statfs=1
Have this any impact on security?
# sysctl -d security.jail.enforce_statfs
security.jail.enforce_statfs: Processes in jail cannot see all mounted
file systems
For what this sysctl is implemented?
Thanks
Miroslav Lachman
More information about the freebsd-jail
mailing list