problem s jailem a nullfs

Miroslav Lachman 000.fbsd at quip.cz
Tue Apr 20 17:10:50 CEST 2010


Nejprve na zacatek obecny dotaz:

Mam-li nejaky svazek primountovany s noexec, nosuid, pak z neho nelze 
nic spoustet. Pokud si na tomto svazku vyberu nejaky adresar a pres 
nullfs ho primountuju s exec a suid, pak z toho adresare lze spoustet 
jako z bezneho oddilu.

Je to ocekavane a spravne chovani?

Tak a ted konkretne...

/vol0 je uloziste, kde jsou "jen" veci, co se nemaji spoustet (data 
ruznych webu, mailboxy atd.)

/dev/mirror/gm0s2d on /vol0 (ufs, local, noexec, nosuid, soft-updates)

Dodatecne je potreba na ten system nasadit Jail v roli plne instalace 
systemu. Jelikoz na jinem svazku neni dostatek mista, tak jsem na /vol0 
udelal nejaky adresar a ten pres nullfs primountoval, do neho jeste 
primountoval ports tree a devfs. Bezproblemu nainstaloval base system a 
spustil jail:

/vol0/jail/.nullfs/rain on /vol0/jail/rain_new (nullfs, local)
/usr/ports on /vol0/jail/rain_new/usr/ports (nullfs, local)
devfs on /vol0/jail/rain_new/dev (devfs, local)

Potud je vsechno v poradku a vse se chova "normalne" (dle mych ocekavani)

Kdyz uz z toho nullfs mountu jde spustit jail, neocekaval bych dalsi 
problemy se spoustenim cehokoliv v tom jailu, ale opak je pravdou a pri 
kompilaci nekterych portu se vyskytuji nasledujici chybove hlasky:

LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9 cc -Wl,-E 
-L/usr/local/lib -o miniperl  `echo malloc.o gv.o toke.o perly.o op.o 
pad.o regcomp.o dump.o util.o mg.o reentr.o hv.o av.o perl.o run.o 
pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o 
utf8.o taint.o deb.o universal.o xsutils.o globals.o perlio.o perlapi.o 
numeric.o mathoms.o locale.o pp_pack.o pp_sort.o  | sed 's/ op.o / /'` 
miniperlmain.o opmini.o -lm -lcrypt -lutil
LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9  ./miniperl -w 
-Ilib -MExporter -e '<?>' || /usr/bin/make minitest
/libexec/ld-elf.so.1: Cannot execute objects on /

cp ext/re/re.pm lib/re.pm
LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9  ./miniperl 
-Ilib configpm
/libexec/ld-elf.so.1: Cannot execute objects on /

*** Error code 1

Stop in /usr/ports/lang/perl5.8/work/perl-5.8.9.
*** Error code 1 (ignored)

[...]

cd t && (rm -f perl; /bin/ln -s ../miniperl perl)  && 
LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9  ./perl TEST 
-minitest base/*.t comp/*.t cmd/*.t run/*.t io/*.t op/*.t uni/*.t </dev/tty
cannot open /dev/tty: Device busy
*** Error code 2 (ignored)
LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9  ./miniperl 
-Ilib configpm
/libexec/ld-elf.so.1: Cannot execute objects on /

*** Error code 1

Stop in /usr/ports/lang/perl5.8/work/perl-5.8.9.
*** Error code 1

Stop in /usr/ports/lang/perl5.8.
*** Error code 1

Stop in /usr/ports/lang/perl5.8.

===>>> make failed for lang/perl5.8
===>>> Aborting update

===>>> Update for lang/perl5.8 failed
===>>> Aborting update

===>>> Update for databases/mytop failed
===>>> Aborting update

Terminated


Pomoci pkg_add jsem Perl nainstaloval normalne.


Kompilace Apache probehla normalne, ale napriklad kompilace PHP ne:

/libexec/ld-elf.so.1: Cannot execute objects on /

apxs:Error: Sorry, no shared object support for Apache.
apxs:Error: available under your platform. Make sure.
apxs:Error: the Apache module mod_so is compiled into.
apxs:Error: your server binary '/usr/local/sbin/httpd'..
"/usr/ports/Mk/bsd.apache.mk", line 288: warning: "/usr/local/sbin/apxs 
-q MPM_NAME" returned non-zero status
===>  php5-5.2.12 : Your apache does not support DSO modules.
*** Error code 1

Stop in /usr/ports/lang/php5.

===>>> make failed for lang/php5
===>>> Aborting update

===>>> Update for lang/php5 failed
===>>> Aborting update

===>>> Update for graphics/php5-gd failed
===>>> Aborting update

Terminated


Z meho laickeho pohledu to ma cosi spolecneho prave s tim noexec, nosuid 
a nullfs, ale netusim co presne, pokud normalni spousteni jailu probiha 
OK, nektere veci jdou take zkompilovat normalne.

Tudiz by me zajimalo, od nekoho, kdo tomuhle vidi vic pod sukni nez ja, 
jestli je tohle nejaky "muj problem" zpusobeny tim, ze "takhle se nullfs 
pouzivat nesmi", nebo je to nejaky bug ve FreeBSD 6.4 (na jine verzi 
jsem to nezkousel) a teoreticky by to cele melo fungovat.

Mirek


More information about the Users-l mailing list