Date: Sat, 23 Sep 2006 14:39:02 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: freebsd-questions@FreeBSD.org Cc: jeremie@le-hen.org Subject: Re: [fbsd] chrooted named in a jail Message-ID: <20060923123902.GV15761@obiwan.tataz.chchile.org> In-Reply-To: <20060921193110.GL15761@obiwan.tataz.chchile.org> References: <20060921193110.GL15761@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi list, On Thu, Sep 21, 2006 at 09:31:10PM +0200, Jeremie Le Hen wrote: > Hi list, > > please Cc: me in your replies, I am not subscribed to this list. > > I have a jail in which named(8) runs. In order to make a possible bug > exploitation still more difficult, I would like to use the named_chrootdir > variable for rc.conf(5). > > Unfortunately, rc.d/named tries to mount devfs in the named_chrootdir, > which is obviously not possible inside a jail. I could hack the jail > startup bit in order to mount devfs in $jaildir/$named_chrootdir/dev, > but I find this a bit overkill and I am looking for a neater way to > achieve this. I thought of using $jail_fstab and $jail_mount_enable > in order to mount_nullfs(8) $jaildir/dev onto $jaildir/$named_chrootdir/dev > but I am not sure this is allowed by the kernel (I'm scared to panic my > production box). > > Any clue, idea ? For your information, I achieved to run a chrooted named(8) inside a jail with two small patches I submitted in the following PRs: http://www.freebsd.org/cgi/query-pr.cgi?pr=103486 http://www.freebsd.org/cgi/query-pr.cgi?pr=103489 The second PR prevents rc.d/named from doing devfs stuff inside a jail, using the security.jail.jailed sysctl. The first PR makes rc.d/jail mount jail's devfs before jail's fstab. This way, I can use /etc/fstab.<jname> to null-mount $jail_rootdir/dev onto $jail_rootdir/$named_chrootdir/dev. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060923123902.GV15761>