Dear all,
the strangest thing just happened as I was playing with moving samba to a jail (14.1-RELEASE p5). Aside from the problems apparently expected with mdns (avahi) I managed to connect to the server from a linux mint machine and to my surprise I saw the entire root file system of the host machine.
The share inside the jail is a nullfs mount of some zfs dataset, the jail fstab looks like this:
The jail was set up with bastille and is set up like this:
Samba config just exposes one share, the same config on the host works just fine.
So why would a jailed server be able to expose the host's root filesystem?
thanks,
Mikolaj
the strangest thing just happened as I was playing with moving samba to a jail (14.1-RELEASE p5). Aside from the problems apparently expected with mdns (avahi) I managed to connect to the server from a linux mint machine and to my surprise I saw the entire root file system of the host machine.
The share inside the jail is a nullfs mount of some zfs dataset, the jail fstab looks like this:
Code:
/usr/local/bastille/releases/14.1-RELEASE /usr/local/bastille/jails/samba/root/.bastille nullfs ro 0 0
/tank/data/ /usr/local/bastille/jails/samba/root//data nullfs 0 0The jail was set up with bastille and is set up like this:
Code:
samba {
devfs_ruleset = 4;
enforce_statfs = 1;
allow.mount;
allow.mount.fdescfs;
allow.raw_sockets;
exec.clean;
exec.consolelog = /var/log/bastille/samba_console.log;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = samba;
mount.devfs;
mount.fstab = /usr/local/bastille/jails/samba/fstab;
path = /usr/local/bastille/jails/samba/root;
securelevel = 2;
osrelease = 14.1-RELEASE;
interface = igb0;
ip4.addr = 10.0.1.7;
ip6 = disable;
}Samba config just exposes one share, the same config on the host works just fine.
So why would a jailed server be able to expose the host's root filesystem?
thanks,
Mikolaj