[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ezjail] ports
Am 10.01.2012 um 06:17 schrieb Matt Simerson:
>
> On Jan 9, 2012, at 8:42 PM, Dirk Engling wrote:
>
>> On 10.01.12 05:06, alexus wrote:
>>
>>> can I somehow link/share (nullfs?) my existing /usr/ports (from host) to jails?
>>
>> While in theory you can, I strongly recommend not to (unless you trust
>> your jail's users). However, in order to use the ports in your jail, you
>> either have to nullfs-mount them rw, or put the following in all your
>> jail's make.conf:
>>
>> WRKDIRPREFIX= /var/ports
>> DISTDIR= /var/ports/distfiles
>> PACKAGES= /var/ports/packages
>> INDEXDIR= /var/ports
>>
>> Using ezjail-admin install -P will use portsnap to put the ports in the
>> right place and also install a working make.conf to the jail template.
>>
>> The problem with shared ports is obvious if you mount them rw. If you do
>> mount them ro, they still expose much information about the host system
>> (i.e. which ports in which version are installed) and expose risks like
>> this:
>
> Nullfs mounting a filesystem ro onto multiple jails *might* expose information about the host system. I would argue it shouldn't, because a good jail host system will have precious little installed as a matter of practice. Right?
>
> What's really being exposed by anyone curious enough to rummage through /usr/ports/distfiles is a list of software that was and may still be installed on neighboring jails. If someone malicious was in a jail on my boxes, any installed software they might exploit could be discovered faster and more reliably using nmap.
If you have WRKDIRPREFIX and DISTDIR set to a diffenrent location on the host system as well, the ro mounted /usr/ports should be pretty empty (except for the vanilla ports tree itself), shouldn't it?
Of course you might have to download software twice if you don't share /usr/ports/distfiles.
Philip