Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Jan 2002 10:59:52 -0800
From:      "Ryan C. Creasey" <ryan-fbsd@p11.com>
To:        <freebsd-security@FreeBSD.ORG>
Subject:   RE: jail and NFS
Message-ID:  <000001c19d2d$a5dae5c0$2801a8c0@office.p11.com>

Next in thread | Raw E-Mail | Index | Archive | Help
> By the way ...
> when it type in jailed box
> 	mount 
> i saw all filesystems and shares mounted by host system
> is this correct ? 

As far as I can tell, yes... I have several jails running within my
master environment and there are quite a few ways for a user in the jail
to realize that they're actually in the jail.

root@dolza.p11.com:/usr/ports# mount
/dev/ad0s1a on / (ufs, local)
/dev/ad0s1f on /usr (ufs, local, with quotas)
/dev/ad0s1e on /var (ufs, local)
procfs on /proc (procfs, local)
procfs on /usr/jail/dolza.p11.com/proc (procfs, local)
procfs on /usr/jail/exedore.p11.com/proc (procfs, local)
procfs on /usr/jail/breetai.p11.com/proc (procfs, local)

ps being another one; note the 'J':
root@exedore.p11.com:/etc# ps
  PID  TT  STAT      TIME COMMAND
68462  p9- IJ     0:00.01 /bin/sh /usr/local/bin/safe_mysqld
--user=mysql
33488  pc  R+J    0:00.00 ps
58200  pc  SJ     0:00.04 -su (bash)

Although there are ways to "hack" your jail to fake users into believing
they are acutally on a real environment.  As with the above example,
it's rather trivial to recompile ps by removing the switch for the 'J'
flag: root@dolza.p11.com:/usr/ports# ps
  PID  TT  STAT      TIME COMMAND
32266  p7  I+     0:00.02 -su (bash)
63606  p8- I      0:00.01 /bin/sh /usr/local/bin/safe_mysqld
--user=mysql
33487  pd  R+     0:00.00 ps
58217  pd  S      0:00.11 -su (bash)

But there are too many little instances that I seem to overlook.  Does
anyone know of a project (freshmeat?) out there that does this?  Or am I
just unusual for wanting users to believe they're not in a jail?

Ryan C. Creasey
Network Engineer
p11creative 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000001c19d2d$a5dae5c0$2801a8c0>