[PATCH] jail NG schript patch for mounting devfs and procfsautomatically

Jens Rehsack rehsack at liwing.de
Fri Aug 15 07:17:47 PDT 2003 

On 14.08.2003 15:36, Scot W. Hetzel wrote:

> I just noticed a problem with periodic scripts inside a jail.  I'm getting:
> 
> Local system status:
> tee: /dev/stderr: Operation not supported
> 
> Mail in local queue:
> tee: /dev/stderr: Operation not supported
> 
> Mail in submit queue:
> tee: /dev/stderr: Operation not supported
> 
> in the periodic daily, weekly, monthly and security reports.  But if I mount
> the fdescfs on the jail, then these errors go away.
> 
> So we need to add the following to the new jail script
> 
> jail_start()
> {
>         :
>         eval jail_devfs=\"\$jail_${_jail}_devfs\"
>         [ -z ${jail_devfs} ] && jail_devfs="NO":
> 
>         eval jail_fdescfs=\"\$jail_${_jail}_fdescfs\"
>         [ -z ${jail_fdescfs} ] && jail_fdescfs="NO"
>         :
>         if checkyesno jail_devfs ; then
>                 mount -t devfs dev ${jail_devdir}
>                 if checkyesno jail_fdescfs ; then
>                         mount -t fdescfs fdesc ${jail_devdir}/fd
>                 fi
>                 :
>         fi
>         :
> }
> 
> jail_stop()
> {
>         :
>         eval jail_devfs=\"\$jail_${_jail}_devfs\"
>         [ -z ${jail_devfs} ] && jail_devfs="NO":
> 
>         eval jail_fdescfs=\"\$jail_${_jail}_fdescfs\"
>         [ -z ${jail_fdescfs} ] && jail_fdescfs="NO"
>         :
>         if checkyesno jail_devfs ; then
>                 if [ -d ${jail_devdir} ] ; then
>                         if checkyesno jail_fdescfs; then
>                                 umount -f ${jail_devdir}/fd >/dev/null 2>&1
>                         fi
>                         umount -f ${jail_devdir} >/dev/null 2>&1
>                 fi
>         fi
>         :
> }
> 
> The only decsion we need to make is wheter to always mount the fdescfs when
> devfs is mounted on the jail, or have a variable to enable mounting of the
> fdescfs (jail_*_fdescfs).
> 
> Scot

I don't run periodics in jails, because they are not allowed to mail
out :-)

But I wouldn't really care having fdescfs mounted every time as
security problem, so I would decide to mount it ever (or defaultly).
If someone cares, addition of jail_example_mount_fdescfs is
recommented.

I add a CC to security@, because of there may be one or other who
has an important comment.

Best,
Jens

More information about the freebsd-security mailing list