subject:"jails and output of df\/mount \[PATCH\]"

Re: jails and output of df/mount [PATCH]

2005-05-23 Thread Raphael H. Becker


Hi Jürgen,

On Wed, May 18, 2005 at 12:45:29AM +0200, Juergen Unger wrote:
 On Tue, May 17, 2005 at 11:43:24PM +0200, Jeremie Le Hen wrote:
 [...]
  There seems to be one small bug in your patch : once applied, we
  don't see informations about / any longer inside jails.
 
 please try the new one at
 http://www.addict.de/unger/fbsd/patch-20050518/

tested this one, compiles and seems to work as expected:

On jailhost (outside):
$ uname -a
FreeBSD pinserv6.p-i-n.com 5.4-STABLE FreeBSD 5.4-STABLE #10: Mon May 23 
10:07:39 CEST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/PE2650  i386

[EMAIL PROTECTED]:~$ mount
/dev/aacd0s2a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/aacd1s1d on /data (ufs, local, soft-updates)
/dev/aacd0s2e on /usr (ufs, local, soft-updates)
/dev/aacd0s2d on /var (ufs, local, soft-updates)
procfs on /proc (procfs, local)
devfs on /data/jails/test01/dev (devfs, local)
devfs on /data/jails/test02/dev (devfs, local)


In jails:
[EMAIL PROTECTED] mount
/dev/aacd1s1d on /data (ufs, local, soft-updates)
devfs on /data/jails/test01/dev (devfs, local)

[EMAIL PROTECTED] mount
/dev/aacd1s1d on /data (ufs, local, soft-updates)
devfs on /data/jails/test02/dev (devfs, local)


Mfg
Raphael Becker
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: jails and output of df/mount [PATCH]

2005-05-17 Thread Jeremie Le Hen

Hi Juergen,

 within a jail there are at this time two possibilities
 of operation for the syscall getfsstat (which is used e.g.
 for the commands 'df' and 'mount'):
 
 security.jail.getfsstatroot_only = 0:
   getfsstat return all filesystems mounted anywhere at the machine
 
 security.jail.getfsstatroot_only = 1:
   getfsstat returns the filesystem where the jail-root is in
   and nothing more (mountpoints within the jails fs-tree are not
   returned)
 
 IMHO is this 2nd one not what is really needed:  If we
 have additional filesystems mounted within the jails tree
 they should be visible too so that they are shown with
 a simple 'df' or 'mount'.
 
 I made a small patch for this which is available at
 http://www.addict.de/unger/fbsd/patch-20050516/
 and should work against CURRENT and RELENG_5_4
 
 Any comments ?  I am not sure if there is locking needed
 (mtx_lock, mtx_unlock) around this new piece of code, at this
 time ot works for me without locking...
 Any other opinions ?  

This works fine on a recent RELENG_5 UP kernel.  Given that this
exposes some host configuration inside jail, it might be worth
adding a sysctl to disable this.  However, I'm not really sure
this kind of information could really be an attack vector or ramp.

There seems to be one small bug in your patch : once applied, we
don't see informations about / any longer inside jails.

Thanks for your work.

Regards,
-- 
Jeremie Le Hen
 jeremie at le-hen dot org  ttz at chchile dot org 
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: jails and output of df/mount [PATCH]

2005-05-17 Thread Juergen Unger

Hi Jeremie !

On Tue, May 17, 2005 at 11:43:24PM +0200, Jeremie Le Hen wrote:
[...]
 This works fine on a recent RELENG_5 UP kernel.  Given that this
 exposes some host configuration inside jail, it might be worth
 adding a sysctl to disable this.  However, I'm not really sure
 this kind of information could really be an attack vector or ramp.

I don't share your opinion that this exposes information not
allready known to the processes withing the jail.  For example:

with this patch I get on an sample jail here the following
output:

 jail# df -h
 Filesystem  SizeUsed   Avail Capacity  Mounted on
 /dev/md3c   4.8G148M4.3G 3%/data1/jail/003
 195.49.136.4:/po989M275M635M30%/data1/jail/003/usr/ports
 195.49.136.4:/di989M189M721M21%/data1/jail/003/distfiles
 195.49.136.4:/pa989M 83M828M 9%/data1/jail/003/packages
 /dev/md2001c 19G4.0K 18G 0%
 /data1/jail/003/var/spool/news
 devfs   1.0K1.0K  0B   100%/data1/jail/003/dev
 fdescfs 1.0K1.0K  0B   100%/data1/jail/003/dev/fd
 procfs  4.0K4.0K  0B   100%/data1/jail/003/proc
 jail# 

the processes within the jail can get the same information without
the patch if they call df for each mounted fs seperately:

 jail# df -h /
 FilesystemSizeUsed   Avail Capacity  Mounted on
 /dev/md3c 4.8G148M4.3G 3%/data1/jail/003
 jail# df -h /usr/ports
 Filesystem  SizeUsed   Avail Capacity  Mounted on
 195.49.136.4:/po989M275M635M30%/data1/jail/003/usr/ports
 jail# df -h /distfiles
 Filesystem  SizeUsed   Avail Capacity  Mounted on
 195.49.136.4:/di989M189M721M21%/data1/jail/003/distfiles
.
[...and.so.on...]
.

that in the output the '/data1/jail/003/' path component ist shown
is another point to fix (I will make another patch for it), but
this behaviour is not changed from before.  Better it would
be only output the path at it is known to the jailed processes.

 There seems to be one small bug in your patch : once applied, we
 don't see informations about / any longer inside jails.

hmm, I think I know what you mean.  I am very sure this happens only
if the jail do not have an own filesystem (so the jails root is
not the root of a filesystem).  Should be easy to fix.  I will
make an improved patch until tomorrow.

bye,
  Juergen


-- 
ENOSIG
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: jails and output of df/mount [PATCH]

2005-05-17 Thread Juergen Unger

On Tue, May 17, 2005 at 11:43:24PM +0200, Jeremie Le Hen wrote:
[...]
 There seems to be one small bug in your patch : once applied, we
 don't see informations about / any longer inside jails.

please try the new one at
http://www.addict.de/unger/fbsd/patch-20050518/

bye,
  Juergen

-- 
ENOSIG
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

jails and output of df/mount [PATCH]

2005-05-16 Thread Juergen Unger

Hi !

within a jail there are at this time two possibilities
of operation for the syscall getfsstat (which is used e.g.
for the commands 'df' and 'mount'):

security.jail.getfsstatroot_only = 0:
getfsstat return all filesystems mounted anywhere at the machine

security.jail.getfsstatroot_only = 1:
getfsstat returns the filesystem where the jail-root is in
and nothing more (mountpoints within the jails fs-tree are not
returned)

IMHO is this 2nd one not what is really needed:  If we
have additional filesystems mounted within the jails tree
they should be visible too so that they are shown with
a simple 'df' or 'mount'.

I made a small patch for this which is available at
http://www.addict.de/unger/fbsd/patch-20050516/
and should work against CURRENT and RELENG_5_4

Any comments ?  I am not sure if there is locking needed
(mtx_lock, mtx_unlock) around this new piece of code, at this
time ot works for me without locking...
Any other opinions ?  

bye,
  Juergen


___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: jails and output of df/mount [PATCH]

Re: jails and output of df/mount [PATCH]

Re: jails and output of df/mount [PATCH]

Re: jails and output of df/mount [PATCH]

jails and output of df/mount [PATCH]

5 matches

Site Navigation

Mail list logo

Footer information