Re: mount_nullfs: /var/run/log: must be either a file or directory

I'm not a security expert but I would think that null mounting a directory, file, or socket (if/when supported) would always have the chance of being a security problem if the target destination where it's being mounted in is untrusted (like mjg said in the review), but of course that is a decision we need to make ourselves based on our requirements and threat model. If we are null mounting a directory (combined with a ZFS dataset) in a private LAN and exporting that over NFS within the LAN, I would say that isn't a security problem. The same would apply if I were to (for whatever reason) want to share a socket across the network.

So overall, it depends how it's being used like a lot of things in life.

Jonathan Vasquez
PGP: 34DA 858C 1447 509E C77A D49F FB85 90B7 C4CA 5279
Sent with ProtonMail Secure Email

-------- Original Message --------
On Jul 7, 2023, 08:10, Mina Galić wrote:

> Hi folks, "recently", we added support for null-mounting single files: https://freshbsd.org/freebsd/src/commit/521fbb722c33663cf00a83bca70ad7cb790687b3 This code restricts the mountable … thing to: if ((lowerrootvp->v_type != VDIR && lowerrootvp->v_type != VREG) || … As the author of the abandoned https://reviews.freebsd.org/D27411 which attempted to add facility to syslog's rc to provide (selected) jails with a log socket, it was pointed out to me that this is a big security risk: https://reviews.freebsd.org/D27411#882100 so I was wondering if null mounts are the same kind of security hazard, or if not allowing sockets is just the oversight of a first approximation of this patch? Kind regards, Mina Galić Try PkgBase: https://alpha.pkgbase.live/