Jail in zfs filesystem: non-root user has no access

Allan Jude allanjude at freebsd.org
Sat Jan 17 18:24:48 UTC 2015 

On 2015-01-17 13:04, javocado wrote:
> System: FreeBSD 8.4 amd
> 
> We have a jail in a zfs filesystem with the following create properties:
> 
> zpool create -O devices=off -O atime=off -O setuid=off -O exec=off -O
> compression=on ...
> 
> zfs create -o devices=off -o atime=off -o setuid=off -o compression=on -o
> ...
> 
> Everything works and runs fine, but when we try to do anything as a
> non-root user we run into issues:
> 
> ssh user at x.x.x.x
> Password:
> Last login: Thu Jan 15 16:40:14 2015 from 209.242.167.133
> Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
> The Regents of the University of California.  All rights reserved.
> 
> Could not chdir to home directory /home/user: Permission denied
> /bin/csh: Permission denied
> Connection to x.x.x.x closed.
> 
> ----------------
> 
> [root @ xxxxx] /# su user
> su: /bin/sh: Permission denied
> 
> ----------------
> 
> Permissions on the dir are fine:
> 
> # ll
>  1 lrwxr-xr-x    1 root  wheel     8 Jan 11  2012 home@ -> usr/home
> ...
> 
> # ll usr
> 24 drwxr-xr-x  17 root  wheel   17 Jan 11  2012 ./
> 24 drwx------  18 root  wheel   23 Jan 11  2012 ../
> ...
> 
> # ll usr/home
> 24 drwxr-xr-x   3 root  wheel   3 Jan 11  2012 ./
> 24 drwxr-xr-x  17 root  wheel  17 Jan 11  2012 ../
> 24 drwxr-xr-x   2 user  user   10 Jan 11  2012 user/
> 
> 
> My suspicion is it has to do with the setuid=off or exec=off on the pool,
> since these settings set to "=on" on the zfs device itself have no impact.
> But, before I tinker with the pool...which I'm not prepared to do for other
> security-related reasons, I wanted to confirm what may be causing this.
> 
> Thanks!
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
> 

You have set 'exec=off', so no binaries can ever be executed
So you can't run a shell

I am not sure how your system even boots, as you shouldn't be able to
run /sbin/init

-- 
Allan Jude

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20150117/e3c41c0f/attachment.sig>

More information about the freebsd-jail mailing list