[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] ports



Am 10.01.2012 um 06:17 schrieb Matt Simerson:

> 
> On Jan 9, 2012, at 8:42 PM, Dirk Engling wrote:
> 
>> On 10.01.12 05:06, alexus wrote:
>> 
>>> can I somehow link/share (nullfs?) my existing /usr/ports (from host) to jails?
>> 
>> While in theory you can, I strongly recommend not to (unless you trust
>> your jail's users). However, in order to use the ports in your jail, you
>> either have to nullfs-mount them rw, or put the following in all your
>> jail's make.conf:
>> 
>> WRKDIRPREFIX=           /var/ports
>> DISTDIR=                /var/ports/distfiles
>> PACKAGES=               /var/ports/packages
>> INDEXDIR=               /var/ports
>> 
>> Using ezjail-admin install -P will use portsnap to put the ports in the
>> right place and also install a working make.conf to the jail template.
>> 
>> The problem with shared ports is obvious if you mount them rw. If you do
>> mount them ro, they still expose much information about the host system
>> (i.e. which ports in which version are installed) and expose risks like
>> this:
> 
> Nullfs mounting a filesystem ro onto multiple jails *might* expose information about the host system. I would argue it shouldn't, because a good jail host system will have precious little installed as a matter of practice. Right? 
> 
> What's really being exposed by anyone curious enough to rummage through /usr/ports/distfiles is a list of software that was and may still be installed on neighboring jails. If someone malicious was in a jail on my boxes, any installed software they might exploit could be discovered faster and more reliably using nmap. 

If you have WRKDIRPREFIX and DISTDIR set to a diffenrent location on the host system as well, the ro mounted /usr/ports should be pretty empty (except for the vanilla ports tree itself), shouldn't it?
Of course you might have to download software twice if you don't share /usr/ports/distfiles.

Philip