Date: Thu, 21 Sep 2006 05:20:16 GMT From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/103447: "mount -o nodev" was useful for preventing escape from chroot/jail etc. Message-ID: <200609210520.k8L5KGll026740@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/103447; it has been noted by GNATS. From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: "Jukka A. Ukkonen" <jau@iki.fi> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/103447: "mount -o nodev" was useful for preventing escape from chroot/jail etc. Date: Thu, 21 Sep 2006 05:14:58 +0000 In message <200609210503.k8L53md5090675@www.freebsd.org>, "Jukka A. Ukkonen" wr ites: >It seems the mount option nodev no longer exists. >It had its merits in making it harder to escape from chroot/jail. >One known method for such escapes has been making a new device entry >matching the major and minor device numbers of the actual /, mounting >it inside the confinded file system, and chroot()ing to it. > >Now that devfs is the only place where device entries should live >having nodev around would make all the more sense. >All the other mount points could be marked nodev in the fstab. Not only is devfs the only place where device entries should live, it is the only place where they can work. If you make a device node in any other filesystem type, it won't work, no matter which major/minor numbers you give it. Nodev is implicit that way. We retain the ability to create devicenodes in other filesystems only for being able to handle diskless clients of other, mostly antique, operating systems. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609210520.k8L5KGll026740>