Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically

• Previous message: Joe Warner: "Re: chkrootkit reports INFECTED :("
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 15 Aug 2003 16:17:10 +0200
To: "Scot W. Hetzel" <hetzels@westbend.net>

On 14.08.2003 15:36, Scot W. Hetzel wrote:

> I just noticed a problem with periodic scripts inside a jail. I'm getting:
>
> Local system status:
> tee: /dev/stderr: Operation not supported
>
> Mail in local queue:
> tee: /dev/stderr: Operation not supported
>
> Mail in submit queue:
> tee: /dev/stderr: Operation not supported
>
> in the periodic daily, weekly, monthly and security reports. But if I mount
> the fdescfs on the jail, then these errors go away.
>
> So we need to add the following to the new jail script
>
> jail_start()
> {
> :
> eval jail_devfs=\"\$jail_${_jail}_devfs\"
> [ -z ${jail_devfs} ] && jail_devfs="NO":
>
> eval jail_fdescfs=\"\$jail_${_jail}_fdescfs\"
> [ -z ${jail_fdescfs} ] && jail_fdescfs="NO"
> :
> if checkyesno jail_devfs ; then
> mount -t devfs dev ${jail_devdir}
> if checkyesno jail_fdescfs ; then
> mount -t fdescfs fdesc ${jail_devdir}/fd
> fi
> :
> fi
> :
> }
>
> jail_stop()
> {
> :
> eval jail_devfs=\"\$jail_${_jail}_devfs\"
> [ -z ${jail_devfs} ] && jail_devfs="NO":
>
> eval jail_fdescfs=\"\$jail_${_jail}_fdescfs\"
> [ -z ${jail_fdescfs} ] && jail_fdescfs="NO"
> :
> if checkyesno jail_devfs ; then
> if [ -d ${jail_devdir} ] ; then
> if checkyesno jail_fdescfs; then
> umount -f ${jail_devdir}/fd >/dev/null 2>&1
> fi
> umount -f ${jail_devdir} >/dev/null 2>&1
> fi
> fi
> :
> }
>
> The only decsion we need to make is wheter to always mount the fdescfs when
> devfs is mounted on the jail, or have a variable to enable mounting of the
> fdescfs (jail_*_fdescfs).
>
> Scot

I don't run periodics in jails, because they are not allowed to mail
out :-)

But I wouldn't really care having fdescfs mounted every time as
security problem, so I would decide to mount it ever (or defaultly).
If someone cares, addition of jail_example_mount_fdescfs is
recommented.

I add a CC to security@, because of there may be one or other who
has an important comment.

Best,
Jens

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Joe Warner: "Re: chkrootkit reports INFECTED :("
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically ... On 14.08.2003 15:36, Scot W. Hetzel wrote: ... > Local system status: ... > Mail in local queue: ... > the fdescfs on the jail, ... (freebsd-current) Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically ... I just noticed a problem with periodic scripts inside a jail. ... Local system status: ... tee: /dev/stderr: Operation not supported ... Mail in local queue: ... (freebsd-current) Re: Paris Hilton "reassigned" ... us would try to do in her situation -- get out of jail anyway we ... So I think the anger is a bit misdirected and should really be ... would still be sitting in a county lock up ... Scot ... (rec.music.gdead)