[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] ports



On Jan 9, 2012, at 8:42 PM, Dirk Engling wrote:

> On 10.01.12 05:06, alexus wrote:
> 
>> can I somehow link/share (nullfs?) my existing /usr/ports (from host) to jails?
> 
> While in theory you can, I strongly recommend not to (unless you trust
> your jail's users). However, in order to use the ports in your jail, you
> either have to nullfs-mount them rw, or put the following in all your
> jail's make.conf:
> 
> WRKDIRPREFIX=           /var/ports
> DISTDIR=                /var/ports/distfiles
> PACKAGES=               /var/ports/packages
> INDEXDIR=               /var/ports
> 
> Using ezjail-admin install -P will use portsnap to put the ports in the
> right place and also install a working make.conf to the jail template.
> 
> The problem with shared ports is obvious if you mount them rw. If you do
> mount them ro, they still expose much information about the host system
> (i.e. which ports in which version are installed) and expose risks like
> this:

Nullfs mounting a filesystem ro onto multiple jails *might* expose information about the host system. I would argue it shouldn't, because a good jail host system will have precious little installed as a matter of practice. Right? 

What's really being exposed by anyone curious enough to rummage through /usr/ports/distfiles is a list of software that was and may still be installed on neighboring jails. If someone malicious was in a jail on my boxes, any installed software they might exploit could be discovered faster and more reliably using nmap. 

The advantage of a nullfs setup is having  just one copy of the ports tree consuming disk  space and inodes. Just one ports tree to keep updated. Sharing /usr/ports/distfiles among all the jails that I  alone manage so software doesn't have to download independently in each jail. I've worked on a number of machines with slow links and not having to download the same file multiple times can save much time.

On my most used server, I have 21 jails and two of them are managed by someone else. They get a copy of /usr/ports mounted read only in their jail. It is kept up-to-date for them via "portsnap cron" on the host system. They have the make.conf entries Dirk showed above. I don't consider their ability to "ls /usr/ports/distfiles" to be a security concern. Dirk does. YMMV.

> http://www.freebsd.org/cgi/query-pr.cgi?pr=100164

The admin misconfigured his fstab. That's not a risk I'm concerned about. Again, YMMV.

Matt

Attachment: smime.p7s
Description: S/MIME cryptographic signature