Re: [fbsd] chrooted named in a jail

Hi list,

On Thu, Sep 21, 2006 at 09:31:10PM +0200, Jeremie Le Hen wrote:
Hi list,

please Cc: me in your replies, I am not subscribed to this list.

I have a jail in which named(8) runs. In order to make a possible bug
exploitation still more difficult, I would like to use the named_chrootdir
variable for rc.conf(5).

Unfortunately, rc.d/named tries to mount devfs in the named_chrootdir,
which is obviously not possible inside a jail. I could hack the jail
startup bit in order to mount devfs in $jaildir/$named_chrootdir/dev,
but I find this a bit overkill and I am looking for a neater way to
achieve this. I thought of using $jail_fstab and $jail_mount_enable
in order to mount_nullfs(8) $jaildir/dev onto $jaildir/$named_chrootdir/dev
but I am not sure this is allowed by the kernel (I'm scared to panic my
production box).

Any clue, idea ?

For your information, I achieved to run a chrooted named(8) inside
a jail with two small patches I submitted in the following PRs:

http://www.freebsd.org/cgi/query-pr.cgi?pr=103486
http://www.freebsd.org/cgi/query-pr.cgi?pr=103489

The second PR prevents rc.d/named from doing devfs stuff inside a
jail, using the security.jail.jailed sysctl.

The first PR makes rc.d/jail mount jail's devfs before jail's fstab.
This way, I can use /etc/fstab.<jname> to null-mount $jail_rootdir/dev
onto $jail_rootdir/$named_chrootdir/dev.

Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages