Date: Fri, 22 Sep 2006 17:33:35 +0200 (CEST) From: Jeremie Le Hen <jeremie@le-hen.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: dougb@FreeBSD.org, jeremie@le-hen.org Subject: misc/103489: [patch] named_chroot_autoupdate doesn't work in a jail Message-ID: <20060922153335.E397E408C@obiwan.tataz.chchile.org> Resent-Message-ID: <200609221540.k8MFeLL3003126@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 103489 >Category: misc >Synopsis: [patch] named_chroot_autoupdate doesn't work in a jail >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Sep 22 15:40:16 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Jeremie Le Hen >Release: FreeBSD 6.1-STABLE i386 >Organization: >Environment: System: FreeBSD obiwan 6.1-STABLE FreeBSD 6.1-STABLE #8: Sun Jun 25 18:27:14 CEST 2006 root@obiwan:/usr/obj/usr/src/sys/OBIWAN i386 >Description: rc.d/named's chroot_autoupdate() unconditionnaly tries to mount devfs. This is obviously not possible inside a jail. Though already jailed, one might want to run a chrooted named(8) inside a jail, in order to hinder a possible bug exploitation. This patch test the security.jail.jailed sysctl before performing the devfs stuff. Note this patch doesn't yet allow the user to run a chrooted named(8) inside a jail ; it must come along with PR misc/103486. >How-To-Repeat: Straightforward, see description. >Fix: Index: named =================================================================== RCS file: /home/ncvs/src/etc/rc.d/named,v retrieving revision 1.26 diff -u -p -u -p -r1.26 named --- named 20 Apr 2006 12:30:12 -0000 1.26 +++ named 22 Sep 2006 15:23:45 -0000 @@ -59,10 +59,12 @@ chroot_autoupdate() # Mount a devfs in the chroot directory if needed # - umount ${named_chrootdir}/dev 2>/dev/null - devfs_domount ${named_chrootdir}/dev devfsrules_hide_all - devfs -m ${named_chrootdir}/dev rule apply path null unhide - devfs -m ${named_chrootdir}/dev rule apply path random unhide + if [ `sysctl -n security.jail.jailed` = 0 ]; then + umount ${named_chrootdir}/dev 2>/dev/null + devfs_domount ${named_chrootdir}/dev devfsrules_hide_all + devfs -m ${named_chrootdir}/dev rule apply path null unhide + devfs -m ${named_chrootdir}/dev rule apply path random unhide + fi # Copy local timezone information if it is not up to date. # >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060922153335.E397E408C>