Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically

From: Jens Rehsack (rehsack_at_liwing.de)
Date: 08/15/03

  • Next message: Zvezdan Petkovic: "Re: Certification (was RE: realpath(3) et al)" 
    Date: Fri, 15 Aug 2003 16:17:10 +0200
To: "Scot W. Hetzel" <hetzels@westbend.net>

    On 14.08.2003 15:36, Scot W. Hetzel wrote:

    > I just noticed a problem with periodic scripts inside a jail. I'm getting:
    >
    > Local system status:
    > tee: /dev/stderr: Operation not supported
    >
    > Mail in local queue:
    > tee: /dev/stderr: Operation not supported
    >
    > Mail in submit queue:
    > tee: /dev/stderr: Operation not supported
    >
    > in the periodic daily, weekly, monthly and security reports. But if I mount
    > the fdescfs on the jail, then these errors go away.
    >
    > So we need to add the following to the new jail script
    >
    > jail_start()
    > {
    > :
    > eval jail_devfs=\"\$jail_${_jail}_devfs\"
    > [ -z ${jail_devfs} ] && jail_devfs="NO":
    >
    > eval jail_fdescfs=\"\$jail_${_jail}_fdescfs\"
    > [ -z ${jail_fdescfs} ] && jail_fdescfs="NO"
    > :
    > if checkyesno jail_devfs ; then
    > mount -t devfs dev ${jail_devdir}
    > if checkyesno jail_fdescfs ; then
    > mount -t fdescfs fdesc ${jail_devdir}/fd
    > fi
    > :
    > fi
    > :
    > }
    >
    > jail_stop()
    > {
    > :
    > eval jail_devfs=\"\$jail_${_jail}_devfs\"
    > [ -z ${jail_devfs} ] && jail_devfs="NO":
    >
    > eval jail_fdescfs=\"\$jail_${_jail}_fdescfs\"
    > [ -z ${jail_fdescfs} ] && jail_fdescfs="NO"
    > :
    > if checkyesno jail_devfs ; then
    > if [ -d ${jail_devdir} ] ; then
    > if checkyesno jail_fdescfs; then
    > umount -f ${jail_devdir}/fd >/dev/null 2>&1
    > fi
    > umount -f ${jail_devdir} >/dev/null 2>&1
    > fi
    > fi
    > :
    > }
    >
    > The only decsion we need to make is wheter to always mount the fdescfs when
    > devfs is mounted on the jail, or have a variable to enable mounting of the
    > fdescfs (jail_*_fdescfs).
    >
    > Scot

    I don't run periodics in jails, because they are not allowed to mail
    out :-)

    But I wouldn't really care having fdescfs mounted every time as
    security problem, so I would decide to mount it ever (or defaultly).
    If someone cares, addition of jail_example_mount_fdescfs is
    recommented.

    I add a CC to security@, because of there may be one or other who
    has an important comment.

    Best,
    Jens

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Zvezdan Petkovic: "Re: Certification (was RE: realpath(3) et al)"

    Relevant Pages