[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] ports

To: ezjail AT erdgeist DOT org
Subject: Re: [ezjail] ports
From: Philip Jocks <pjlists AT netzkommune DOT de>
Date: Tue, 10 Jan 2012 09:50:56 +0100
Delivered-to: mailing list ezjail AT erdgeist DOT org
In-reply-to: <8525B6E2-6B4B-427B-8CD2-F72A048D8AA6 AT tnpi DOT net>
Jabber-id: pj AT netzkommune DOT de
Mailing-list: contact ezjail-help AT erdgeist DOT org; run by ezmlm
References: <CAJxePNJcc_ou-kySiqN2pGk6bHHGv6FsvjC5bOuHjkFS26_1dw AT mail.gmail DOT com> <20120110035930.GH1853 AT schism DOT local> <CAJxePNL0+5r_0+nNOAeNXA3346XS640UnXnC3PSpUbZQ3YUw8A AT mail.gmail DOT com> <4F0BC1BD.5080200 AT erdgeist DOT org> <8525B6E2-6B4B-427B-8CD2-F72A048D8AA6 AT tnpi DOT net>

Am 10.01.2012 um 06:17 schrieb Matt Simerson:

> 
> On Jan 9, 2012, at 8:42 PM, Dirk Engling wrote:
> 
>> On 10.01.12 05:06, alexus wrote:
>> 
>>> can I somehow link/share (nullfs?) my existing /usr/ports (from host) to jails?
>> 
>> While in theory you can, I strongly recommend not to (unless you trust
>> your jail's users). However, in order to use the ports in your jail, you
>> either have to nullfs-mount them rw, or put the following in all your
>> jail's make.conf:
>> 
>> WRKDIRPREFIX=           /var/ports
>> DISTDIR=                /var/ports/distfiles
>> PACKAGES=               /var/ports/packages
>> INDEXDIR=               /var/ports
>> 
>> Using ezjail-admin install -P will use portsnap to put the ports in the
>> right place and also install a working make.conf to the jail template.
>> 
>> The problem with shared ports is obvious if you mount them rw. If you do
>> mount them ro, they still expose much information about the host system
>> (i.e. which ports in which version are installed) and expose risks like
>> this:
> 
> Nullfs mounting a filesystem ro onto multiple jails *might* expose information about the host system. I would argue it shouldn't, because a good jail host system will have precious little installed as a matter of practice. Right? 
> 
> What's really being exposed by anyone curious enough to rummage through /usr/ports/distfiles is a list of software that was and may still be installed on neighboring jails. If someone malicious was in a jail on my boxes, any installed software they might exploit could be discovered faster and more reliably using nmap. 

If you have WRKDIRPREFIX and DISTDIR set to a diffenrent location on the host system as well, the ro mounted /usr/ports should be pretty empty (except for the vanilla ports tree itself), shouldn't it?
Of course you might have to download software twice if you don't share /usr/ports/distfiles.

Philip

References:
- ports
  - From: alexus <alexus AT gmail DOT com>
- Re: [ezjail] ports
  - From: Glen Barber <glen.j.barber AT gmail DOT com>
- Re: [ezjail] ports
  - From: alexus <alexus AT gmail DOT com>
- Re: [ezjail] ports
  - From: Dirk Engling <erdgeist AT erdgeist DOT org>
- Re: [ezjail] ports
  - From: Matt Simerson <matt AT tnpi DOT net>

Prev by Date: Re: [ezjail] ports
Next by Date: Re: [ezjail] ezjail-admin bug with more than one ezjail.flavour scripts
Previous by thread: Re: [ezjail] ports
Next by thread: p2v script?
Index(es):
- Date
- Thread