From owner-freebsd-stable@FreeBSD.ORG Mon May 7 10:17:18 2007 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A87BD16A401 for ; Mon, 7 May 2007 10:17:18 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.freebsd.org (Postfix) with ESMTP id 2E44213C44B for ; Mon, 7 May 2007 10:17:17 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (idqfmh@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id l47AHAdx013327; Mon, 7 May 2007 12:17:15 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id l47AHAe3013326; Mon, 7 May 2007 12:17:10 +0200 (CEST) (envelope-from olli) Date: Mon, 7 May 2007 12:17:10 +0200 (CEST) Message-Id: <200705071017.l47AHAe3013326@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG, list@manuelmartini.it In-Reply-To: <182867A9-ED5E-496B-980A-B70C4E90B836@manuelmartini.it> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.2-20060425 ("Shillay") (UNIX) (FreeBSD/4.11-STABLE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 07 May 2007 12:17:15 +0200 (CEST) Cc: Subject: Re: gmirror security problem on jail env? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG, list@manuelmartini.it List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2007 10:17:18 -0000 Manuel Martini wrote: > # sysctl -a | grep jail > [...] > security.jail.jailed: 1 > # df > Filesystem 1K-blocks Used Avail Capacity Mounted on > /dev/mirror/gm0s1g 129719744 17056610 102285556 14% / > # gmirror status > Name Status Components > mirror/gm0 COMPLETE da0 > > so I think I can do... > gmirror remove.. stop.. deactive... No, you can do "status" and "list", but everything else should result in "permission denied". Note that you can do "gmirror status" and "gmirror list" as normal user, even as user nobody. It doesn't require any special privileges, so it works in jails, too. In fact, you can get the geom status (in XML format) with the command "sysctl -b kern.geom.confxml". Unfortunately there is currently no easy way to suppress that information. If you don't want jailed users to be able to see your geom configuration, you need to modify the kernel source code. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "I started using PostgreSQL around a month ago, and the feeling is similar to the switch from Linux to FreeBSD in '96 -- 'wow!'." -- Oddbjorn Steffensen