From owner-freebsd-bugs@FreeBSD.ORG Thu Sep 21 05:10:22 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAD4516A407 for ; Thu, 21 Sep 2006 05:10:21 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ABC243D53 for ; Thu, 21 Sep 2006 05:10:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8L5ALQX025822 for ; Thu, 21 Sep 2006 05:10:21 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8L5ALTB025821; Thu, 21 Sep 2006 05:10:21 GMT (envelope-from gnats) Resent-Date: Thu, 21 Sep 2006 05:10:21 GMT Resent-Message-Id: <200609210510.k8L5ALTB025821@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Jukka A. Ukkonen" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1D7F16A407 for ; Thu, 21 Sep 2006 05:03:48 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD5ED43D46 for ; Thu, 21 Sep 2006 05:03:48 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k8L53mPl090676 for ; Thu, 21 Sep 2006 05:03:48 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id k8L53md5090675; Thu, 21 Sep 2006 05:03:48 GMT (envelope-from nobody) Message-Id: <200609210503.k8L53md5090675@www.freebsd.org> Date: Thu, 21 Sep 2006 05:03:48 GMT From: "Jukka A. Ukkonen" To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: kern/103447: "mount -o nodev" was useful for preventing escape from chroot/jail etc. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2006 05:10:22 -0000 >Number: 103447 >Category: kern >Synopsis: "mount -o nodev" was useful for preventing escape from chroot/jail etc. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Sep 21 05:10:20 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Jukka A. Ukkonen >Release: 6.2-PRERELEASE >Organization: private person >Environment: FreeBSD mjolnir 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #2: Wed Sep 20 08:33:47 EEST 2006 root@mjolnir:/usr/obj/usr/src/sys/Mjolnir i386 >Description: It seems the mount option nodev no longer exists. It had its merits in making it harder to escape from chroot/jail. One known method for such escapes has been making a new device entry matching the major and minor device numbers of the actual /, mounting it inside the confinded file system, and chroot()ing to it. Now that devfs is the only place where device entries should live having nodev around would make all the more sense. All the other mount points could be marked nodev in the fstab. >How-To-Repeat: An easy way to test the "nodev" option is gone is to simply try using it with a suitable test mount point. "mount -o nodev" and the option "nodev" in fstab no longer are shown in the output of "mount -p". Also defines it as... #define MNT_NODEV 0 /* Deprecated option */ The normal file systems still can contain device nodes as before... mknod rootdev c 0 142 The mknod creates a copy of a geom mirror used as the actual system root in the system this was tried on. Though jail can confine areas better than plain chroot also the latter one will be around for quite some time. Having "mount -o nodev" around would be one more addition to the layered onion like security. >Fix: If the nodev option was not awfully hard to maintain, please, return it to the system. >Release-Note: >Audit-Trail: >Unformatted: