Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Sep 2006 17:33:35 +0200 (CEST)
From:      Jeremie Le Hen <jeremie@le-hen.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        dougb@FreeBSD.org, jeremie@le-hen.org
Subject:   misc/103489: [patch] named_chroot_autoupdate doesn't work in a jail
Message-ID:  <20060922153335.E397E408C@obiwan.tataz.chchile.org>
Resent-Message-ID: <200609221540.k8MFeLL3003126@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         103489
>Category:       misc
>Synopsis:       [patch] named_chroot_autoupdate doesn't work in a jail
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 22 15:40:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Jeremie Le Hen
>Release:        FreeBSD 6.1-STABLE i386
>Organization:
>Environment:
System: FreeBSD obiwan 6.1-STABLE FreeBSD 6.1-STABLE #8: Sun Jun 25 18:27:14 CEST 2006 root@obiwan:/usr/obj/usr/src/sys/OBIWAN i386
>Description:
	rc.d/named's chroot_autoupdate() unconditionnaly tries to mount devfs.
	This is obviously not possible inside a jail.  Though already jailed,
	one might want to run a chrooted named(8) inside a jail, in order to
	hinder a possible bug exploitation.
	This patch test the security.jail.jailed sysctl before performing the
	devfs stuff.

	Note this patch doesn't yet allow the user to run a chrooted named(8)
	inside a jail ; it must come along with PR misc/103486.
>How-To-Repeat:
	Straightforward, see description.
>Fix:
Index: named
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/named,v
retrieving revision 1.26
diff -u -p -u -p -r1.26 named
--- named	20 Apr 2006 12:30:12 -0000	1.26
+++ named	22 Sep 2006 15:23:45 -0000
@@ -59,10 +59,12 @@ chroot_autoupdate()
 
 	# Mount a devfs in the chroot directory if needed
 	#
-	umount ${named_chrootdir}/dev 2>/dev/null
-	devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
-	devfs -m ${named_chrootdir}/dev rule apply path null unhide
-	devfs -m ${named_chrootdir}/dev rule apply path random unhide
+	if [ `sysctl -n security.jail.jailed` = 0 ]; then
+		umount ${named_chrootdir}/dev 2>/dev/null
+		devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
+		devfs -m ${named_chrootdir}/dev rule apply path null unhide
+		devfs -m ${named_chrootdir}/dev rule apply path random unhide
+	fi
 
 	# Copy local timezone information if it is not up to date.
 	#
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060922153335.E397E408C>