* procfs and chroot() ... ?
@ 2004-09-14 1:30 Jochen Bern
2004-09-14 2:53 ` viro
0 siblings, 1 reply; 3+ messages in thread
From: Jochen Bern @ 2004-09-14 1:30 UTC (permalink / raw)
To: linux-kernel
I'm trying to chroot() a server that needs to read one readonly pseudo
file from /proc . I tried to pinpoint my options to do so ...
-- The alternative to accessing this one pseudo file would be to grant
the server access to /dev/kmem ... NOT ... ANY ... BETTER!! 8-}
-- Mounting two procfs instances (one normal, one inside the chroot())
and setting restrictive permissions on the latter makes identical
changes to the former. (I assume that'ld be the same for ACLs?)
-- Deploying SELinux ... will have to do a good deal of reading to
even find out what'ld be involved in that ...
-- Mounting a "second" procfs, chroot()ing into the exact subdir the
file is in, and mounting non-procfs stuff (like the etc dir with the
configs) *over* the sub-subdirs (ARGH!) would *happen* to rid me of
all *writable* pseudo files, but still provide read access to way
more info that I'ld want to provide to the server ...
(- I'll try to Use The Source (tm) so that the server will not close the
pseudo file, and does the chroot() itself after opening it, but let's
assume for the sake of the argument that I won't succeed in that.)
Is there an official way (or *should* there be one) to have only *part*
of a procfs mounted into a chroot() jail?
Kind regards,
J. Bern
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: procfs and chroot() ... ?
2004-09-14 1:30 procfs and chroot() ... ? Jochen Bern
@ 2004-09-14 2:53 ` viro
2004-09-15 3:41 ` Nuno Silva
0 siblings, 1 reply; 3+ messages in thread
From: viro @ 2004-09-14 2:53 UTC (permalink / raw)
To: Jochen Bern; +Cc: linux-kernel
On Tue, Sep 14, 2004 at 03:30:29AM +0200, Jochen Bern wrote:
> I'm trying to chroot() a server that needs to read one readonly pseudo
> file from /proc . I tried to pinpoint my options to do so ...
>
> -- The alternative to accessing this one pseudo file would be to grant
> the server access to /dev/kmem ... NOT ... ANY ... BETTER!! 8-}
> -- Mounting two procfs instances (one normal, one inside the chroot())
> and setting restrictive permissions on the latter makes identical
> changes to the former. (I assume that'ld be the same for ACLs?)
> -- Deploying SELinux ... will have to do a good deal of reading to
> even find out what'ld be involved in that ...
> -- Mounting a "second" procfs, chroot()ing into the exact subdir the
> file is in, and mounting non-procfs stuff (like the etc dir with the
> configs) *over* the sub-subdirs (ARGH!) would *happen* to rid me of
> all *writable* pseudo files, but still provide read access to way
> more info that I'ld want to provide to the server ...
> (- I'll try to Use The Source (tm) so that the server will not close the
> pseudo file, and does the chroot() itself after opening it, but let's
> assume for the sake of the argument that I won't succeed in that.)
Egads...
mount --bind /proc/whatever/the/fsck/you/want \
/home/jail/wherever/the/fsck/you/want/to/see/it
(assuming that jail is in /home/jail and "mountpoint" exists).
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: procfs and chroot() ... ?
2004-09-14 2:53 ` viro
@ 2004-09-15 3:41 ` Nuno Silva
0 siblings, 0 replies; 3+ messages in thread
From: Nuno Silva @ 2004-09-15 3:41 UTC (permalink / raw)
To: viro; +Cc: Jochen Bern, linux-kernel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
viro@parcelfarce.linux.theplanet.co.uk wrote:
| On Tue, Sep 14, 2004 at 03:30:29AM +0200, Jochen Bern wrote:
|
|>I'm trying to chroot() a server that needs to read one readonly pseudo
|>file from /proc . I tried to pinpoint my options to do so ...
|>
|>-- The alternative to accessing this one pseudo file would be to grant
|> the server access to /dev/kmem ... NOT ... ANY ... BETTER!! 8-}
|>-- Mounting two procfs instances (one normal, one inside the chroot())
|> and setting restrictive permissions on the latter makes identical
|> changes to the former. (I assume that'ld be the same for ACLs?)
|>-- Deploying SELinux ... will have to do a good deal of reading to
|> even find out what'ld be involved in that ...
|>-- Mounting a "second" procfs, chroot()ing into the exact subdir the
|> file is in, and mounting non-procfs stuff (like the etc dir with the
|> configs) *over* the sub-subdirs (ARGH!) would *happen* to rid me of
|> all *writable* pseudo files, but still provide read access to way
|> more info that I'ld want to provide to the server ...
|>(- I'll try to Use The Source (tm) so that the server will not close the
|> pseudo file, and does the chroot() itself after opening it, but let's
|> assume for the sake of the argument that I won't succeed in that.)
|
|
| Egads...
|
| mount --bind /proc/whatever/the/fsck/you/want \
| /home/jail/wherever/the/fsck/you/want/to/see/it
|
| (assuming that jail is in /home/jail and "mountpoint" exists).
Jochen,
you can also --bind only one file. But you must create the file first:
# mkdir /var/jails/jail1/proc
# touch /var/jails/jail1/proc/cpuinfo
# mount --bind /proc/cpuinfo /var/jails/jail1/proc/cpuinfo
Regards,
Nuno Silva
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBR7ngOPig54MP17wRAuL9AKCnrrHSuAxGZTz0P53JthkMIF9wHgCeOMam
kv9QDqkpnAqB+XzVcTKNyIo=
=lJiN
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-09-15 3:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-14 1:30 procfs and chroot() ... ? Jochen Bern
2004-09-14 2:53 ` viro
2004-09-15 3:41 ` Nuno Silva
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox