RE: jail and NFS

From: Ryan C. Creasey (ryan-fbsd@p11.com)
Date: 01/14/02

• Next message: Buliwyf McGraw: "gets() is unsafe"
• Previous message: zhuravlev alexander: "Re: jail and NFS"
• Maybe in reply to: zhuravlev alexander: "jail and NFS"
• Next in thread: Robert Watson: "RE: jail and NFS"
• Reply: Robert Watson: "RE: jail and NFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Ryan C. Creasey" <ryan-fbsd@p11.com>
To: <freebsd-security@FreeBSD.ORG>
Date: Mon, 14 Jan 2002 10:59:52 -0800

> By the way ...
> when it type in jailed box
> mount
> i saw all filesystems and shares mounted by host system
> is this correct ?

As far as I can tell, yes... I have several jails running within my
master environment and there are quite a few ways for a user in the jail
to realize that they're actually in the jail.

root@dolza.p11.com:/usr/ports# mount
/dev/ad0s1a on / (ufs, local)
/dev/ad0s1f on /usr (ufs, local, with quotas)
/dev/ad0s1e on /var (ufs, local)
procfs on /proc (procfs, local)
procfs on /usr/jail/dolza.p11.com/proc (procfs, local)
procfs on /usr/jail/exedore.p11.com/proc (procfs, local)
procfs on /usr/jail/breetai.p11.com/proc (procfs, local)

ps being another one; note the 'J':
root@exedore.p11.com:/etc# ps
  PID TT STAT TIME COMMAND
68462 p9- IJ 0:00.01 /bin/sh /usr/local/bin/safe_mysqld
--user=mysql
33488 pc R+J 0:00.00 ps
58200 pc SJ 0:00.04 -su (bash)

Although there are ways to "hack" your jail to fake users into believing
they are acutally on a real environment. As with the above example,
it's rather trivial to recompile ps by removing the switch for the 'J'
flag: root@dolza.p11.com:/usr/ports# ps
  PID TT STAT TIME COMMAND
32266 p7 I+ 0:00.02 -su (bash)
63606 p8- I 0:00.01 /bin/sh /usr/local/bin/safe_mysqld
--user=mysql
33487 pd R+ 0:00.00 ps
58217 pd S 0:00.11 -su (bash)

But there are too many little instances that I seem to overlook. Does
anyone know of a project (freshmeat?) out there that does this? Or am I
just unusual for wanting users to believe they're not in a jail?

Ryan C. Creasey
Network Engineer
p11creative

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Buliwyf McGraw: "gets() is unsafe"
• Previous message: zhuravlev alexander: "Re: jail and NFS"
• Maybe in reply to: zhuravlev alexander: "jail and NFS"
• Next in thread: Robert Watson: "RE: jail and NFS"
• Reply: Robert Watson: "RE: jail and NFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Some questions about jails ... You don't need to start a jail with procfs, ... > network card present in the host system? ... > one jail's purpouses is to fool the jail users, ... (freebsd-hackers) jail and mount points. ... At the moment 'df' displays the mount points for the whole ... instead of those available in the jail. ... devfs on /dev ... procfs on /proc ... (freebsd-current) New jail related rc.conf variable ... there were some variables controlling whether or not I want to mount devfs ... or procfs, I did not found any simple way to use some nullfs or unionfs ... I though that the jail rc script was laking ... (freebsd-current) New jail related rc.conf variable ... there were some variables controlling whether or not I want to mount devfs ... or procfs, I did not found any simple way to use some nullfs or unionfs ... I though that the jail rc script was laking ... (freebsd-current) Is "rm -rf /mnt/stand/" OK? ... FreeBSD 4.8-RELEASE #0 is running on the PC. ... Regards, ... /dev/ad0s1a on / (ufs, local) ... procfs on /proc ... (comp.unix.bsd.freebsd.misc)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint