Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Dec 2010 20:00:02 -0700
From:      "Chad Leigh -- Shire.Net LLC" <chad@shire.net>
To:        "Jason C. Wells" <jcw@speakeasy.net>
Cc:        freebsd general questions <freebsd-questions@freebsd.org>
Subject:   Re: Nullfs Allows Jailbreaking
Message-ID:  <09452D14-1133-4282-ACF3-648D6607644A@shire.net>
In-Reply-To: <4D12BA51.2010602@speakeasy.net>
References:  <4D12BA51.2010602@speakeasy.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Dec 22, 2010, at 7:56 PM, Jason C. Wells wrote:

> Here is my file system scheme for a newly created jail as viewed from =
the host:
>=20
> /usr/jail/template on /usr/jail/f1 (nullfs, local, read-only)
> /usr/jail/f1-fs/etc on /usr/jail/f1/etc (nullfs, local)
> /usr/jail/f1-fs/tmp on /usr/jail/f1/tmp (nullfs, local)
> /usr/jail/f1-fs/var on /usr/jail/f1/var (nullfs, local)
> /usr/jail/f1-fs/usr-local on /usr/jail/f1/usr/local (nullfs, local)
>=20
> As viewed from the jail:
>=20
> /usr/jail/template on / (nullfs, local, read-only)
>=20
> I like the idea of using a template for multiple jails that I plan to =
use later.  I like the ide of mounting the template read only.  I had to =
splice in the other nullfs filesystems so that things that need to be =
read-write can be.
>=20
> But it seems kinda funky.  Inside the jail it looks like EVERYTHING is =
read-only and you have no way of knowing that /tmp is actually =
read-write.  There seems to be a violation of the segregation going on =
here.
>=20
> What pitfalls can you see in a file system scheme like this for my =
jails?  Is the above behavior by design or did I find a flaw?



I have been doing this for years with great success.   I don't =
understand your question.   How does it look like everything is read =
only from inside the jail?  The fact that a "df" only shows the root =
filesystem and not all your others file systems? (assuming that is still =
the truth -- my jails do this on older FBSD systems)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?09452D14-1133-4282-ACF3-648D6607644A>