Usage of nullfs inside a Jail / Hack 88 / allow_mount_nullfs

hoppel

New Member

Thanks: 4
Messages: 14

#1
Hi!

I've got the 88 character limitation for the fstab entry. It seems the problem will be solved in FreeBSD 12.x maybe in 2019.


How can I use nullfs inside a jail? Thats my fstab entry for the jail. It mounts the specific blog domain to the Wordpress jail.
Code:
/usr/home/someuser/www/blog.some-domain.com    /iocage/jails/www-wordpress/root/usr/home/someuser/www/blog.some-domain.com
Code:
    "allow_mount": "0",
    "allow_mount_nullfs": "0",
    "enforce_statfs": "2",
both allow must be 1? and enforce_statfs less 2? But inside the jail there is not /etc/fstab?


inside the wordpress jail I have to use nullfs with union to mount the Wordpress directory and allow the user to (over)write files for own settings. something like this... https://arrowd.name/posts/2016-10-20-sharing-wordpress.html

Code:
/iocage/jails/www-wordpress/root/
Needs a lot of characters. I've got the http://iocage.readthedocs.io/en/latest/known-issues.html#character-mount-path-limitation limitation problem.

Is there a solution for a fstab inside the jail?


Thanks
Steffen
 

Snurg

Aspiring Daemon

Thanks: 326
Messages: 794

#2
Best way would be to make the actual directory paths short and use (symbolic) links.
This way you can shorten this "/iocage/jails/www-wordpress/root/usr/home/" to a few chars.
As you said correctly, FreeBSD 12 removes that limit. When this comes, you can rid the links.

And yes, you need the jail settings you listed if you want to allow mounting from inside the jail. I won't recommend that due to the frequent security holes of WP, though. And read jail.conf() for the correct syntax, that one you showed is wrong, " ,= true/false.
 
OP
OP
hoppel

hoppel

New Member

Thanks: 4
Messages: 14

#3
Thank u you. The config between iocage and jail.conf has a bit of syntax diffs. iocage is in json format.

I can shortened with an additional nullfs. But the fstab is outside the jail in the /iocage/jail/www-wordpress directory. Why should I switch the
Code:
"allow_mount": "0",
   "allow_mount_nullfs": "0",
   "enforce_statfs": "2",
flags. That's the usual config outside the jail.

I won't recommend that due to the frequent security holes of WP, though.
That's the reason why I would like to install Wordpress with the /usr/ports and mount it read-only to the user blog directory and to use union to overwrite custom files. The wordpress jail gets only the specific user blog directory via fstab injected. If the Wordpress jail is hacked only the Wordpress files and the mysql config is leaked. nothing else. There is a nginx jail I used as proxy pass for the blog domains. security separations for wordpress...

Steffen
 

hukadan

Active Member

Thanks: 154
Messages: 244

#4
Why don't you use the /etc/fstab file of the host system so you don't have to mess with the jail configuration ?
 

Snurg

Aspiring Daemon

Thanks: 326
Messages: 794

#5
I have to correct myself... I forgot the word "change"... If you want to mount nullfs from inside jail.
But as you do not plan to do that, the default settings listed won't allow users inside the jail to mount host filesystem.
Then it probably will be sufficient to move directories like that way and create symlinks on host (and maybe jail, too, if the resulting path > 88 chars), and adjust the host fstab accordingly, i.e.:
/i -> /iocage
/i/j -> /iocage/jails
/i/j/w ->/iocage/jails/www-wordpress
and so on.
This is ugly but does not require excessive work.
 
OP
OP
hoppel

hoppel

New Member

Thanks: 4
Messages: 14

#6
Thank u you.

What is the security risk if I mount outside the jail?
Code:
/usr/home/someuser/www/blog.some-domain.com   /iocage/jails/www-wordpress/root/usr/home/someuser/www/blog.some-domain.com    rw  0  0
Switch the flags to
Code:
"allow_mount": "1",
"allow_mount_nullfs": "1",
"enforce_statfs": "1",

and then mount inside the jail (does /etc/fstab works inside the jail or do I have to use mount_nullfs(8) via command line)
Code:
/usr/local/www/wordpress   /usr/home/someuser/www/blog.some-domain.com/public_html  nullfs ro
/usr/home/someuser/www/blog.some-domain.com/wp-root   /usr/home/someuser/www/blog.some-domain.com/public_html nullfs rw,union
/usr/home/someuser/www/blog.some-domain.com/wp-content/plugins   /usr/home/someuser/www/blog.some-domain.com/public_html/wp-content/plugins nullfs rw,union
/usr/home/someuser/www/blog.some-domain.com/wp-content/uploads   /usr/home/someuser/www/blog.some-domain.com/public_html/wp-content/uploads nullfs rw,union

Steffen

I have to correct myself... I forgot the word "change"... If you want to mount nullfs from inside jail.
But as you do not plan to do that, the default settings listed won't allow users inside the jail to mount host filesystem.
 

Snurg

Aspiring Daemon

Thanks: 326
Messages: 794

#7
From jail():
When set to 0, all mount points are available without any restrictions.
When set to 1, only mount points below the jail's chroot directory are visible.
In addition to that, the path to the jail's chroot directory is removed from the front of their pathnames.
Either copy/move the wordpress stuff you built to below the chroot directory, so 1 is sufficient, or use 0 (probably not desirable).
Try yourself whether fstab works inside the jail. I suppose yes, but didn't try yet, so would appreciate if you can report back.

Edit: If you have a local copy in the jail, you easily can add a cronjob on the host comparing/watching the jail copy for any changes, alerting you that somebody possibly hacked in some "addons"...
 
OP
OP
hoppel

hoppel

New Member

Thanks: 4
Messages: 14

#8
I change the directory structure and now it fits with the 88 characters. Changing
Code:
enforce_statfs
to less than 2 is no option.

mounting the port
Code:
/usr/local/www/wordpress
directory as ro to the user blog site works very well. I mount root / plugins / uploads as nullfs and union for writing user custom files.

thank u
Steffen
 
Top