problem s jailem a nullfs
Miroslav Lachman
000.fbsd at quip.cz
Tue Apr 20 17:10:50 CEST 2010
Nejprve na zacatek obecny dotaz:
Mam-li nejaky svazek primountovany s noexec, nosuid, pak z neho nelze
nic spoustet. Pokud si na tomto svazku vyberu nejaky adresar a pres
nullfs ho primountuju s exec a suid, pak z toho adresare lze spoustet
jako z bezneho oddilu.
Je to ocekavane a spravne chovani?
Tak a ted konkretne...
/vol0 je uloziste, kde jsou "jen" veci, co se nemaji spoustet (data
ruznych webu, mailboxy atd.)
/dev/mirror/gm0s2d on /vol0 (ufs, local, noexec, nosuid, soft-updates)
Dodatecne je potreba na ten system nasadit Jail v roli plne instalace
systemu. Jelikoz na jinem svazku neni dostatek mista, tak jsem na /vol0
udelal nejaky adresar a ten pres nullfs primountoval, do neho jeste
primountoval ports tree a devfs. Bezproblemu nainstaloval base system a
spustil jail:
/vol0/jail/.nullfs/rain on /vol0/jail/rain_new (nullfs, local)
/usr/ports on /vol0/jail/rain_new/usr/ports (nullfs, local)
devfs on /vol0/jail/rain_new/dev (devfs, local)
Potud je vsechno v poradku a vse se chova "normalne" (dle mych ocekavani)
Kdyz uz z toho nullfs mountu jde spustit jail, neocekaval bych dalsi
problemy se spoustenim cehokoliv v tom jailu, ale opak je pravdou a pri
kompilaci nekterych portu se vyskytuji nasledujici chybove hlasky:
LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9 cc -Wl,-E
-L/usr/local/lib -o miniperl `echo malloc.o gv.o toke.o perly.o op.o
pad.o regcomp.o dump.o util.o mg.o reentr.o hv.o av.o perl.o run.o
pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o
utf8.o taint.o deb.o universal.o xsutils.o globals.o perlio.o perlapi.o
numeric.o mathoms.o locale.o pp_pack.o pp_sort.o | sed 's/ op.o / /'`
miniperlmain.o opmini.o -lm -lcrypt -lutil
LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9 ./miniperl -w
-Ilib -MExporter -e '<?>' || /usr/bin/make minitest
/libexec/ld-elf.so.1: Cannot execute objects on /
cp ext/re/re.pm lib/re.pm
LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9 ./miniperl
-Ilib configpm
/libexec/ld-elf.so.1: Cannot execute objects on /
*** Error code 1
Stop in /usr/ports/lang/perl5.8/work/perl-5.8.9.
*** Error code 1 (ignored)
[...]
cd t && (rm -f perl; /bin/ln -s ../miniperl perl) &&
LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9 ./perl TEST
-minitest base/*.t comp/*.t cmd/*.t run/*.t io/*.t op/*.t uni/*.t </dev/tty
cannot open /dev/tty: Device busy
*** Error code 2 (ignored)
LD_LIBRARY_PATH=/usr/ports/lang/perl5.8/work/perl-5.8.9 ./miniperl
-Ilib configpm
/libexec/ld-elf.so.1: Cannot execute objects on /
*** Error code 1
Stop in /usr/ports/lang/perl5.8/work/perl-5.8.9.
*** Error code 1
Stop in /usr/ports/lang/perl5.8.
*** Error code 1
Stop in /usr/ports/lang/perl5.8.
===>>> make failed for lang/perl5.8
===>>> Aborting update
===>>> Update for lang/perl5.8 failed
===>>> Aborting update
===>>> Update for databases/mytop failed
===>>> Aborting update
Terminated
Pomoci pkg_add jsem Perl nainstaloval normalne.
Kompilace Apache probehla normalne, ale napriklad kompilace PHP ne:
/libexec/ld-elf.so.1: Cannot execute objects on /
apxs:Error: Sorry, no shared object support for Apache.
apxs:Error: available under your platform. Make sure.
apxs:Error: the Apache module mod_so is compiled into.
apxs:Error: your server binary '/usr/local/sbin/httpd'..
"/usr/ports/Mk/bsd.apache.mk", line 288: warning: "/usr/local/sbin/apxs
-q MPM_NAME" returned non-zero status
===> php5-5.2.12 : Your apache does not support DSO modules.
*** Error code 1
Stop in /usr/ports/lang/php5.
===>>> make failed for lang/php5
===>>> Aborting update
===>>> Update for lang/php5 failed
===>>> Aborting update
===>>> Update for graphics/php5-gd failed
===>>> Aborting update
Terminated
Z meho laickeho pohledu to ma cosi spolecneho prave s tim noexec, nosuid
a nullfs, ale netusim co presne, pokud normalni spousteni jailu probiha
OK, nektere veci jdou take zkompilovat normalne.
Tudiz by me zajimalo, od nekoho, kdo tomuhle vidi vic pod sukni nez ja,
jestli je tohle nejaky "muj problem" zpusobeny tim, ze "takhle se nullfs
pouzivat nesmi", nebo je to nejaky bug ve FreeBSD 6.4 (na jine verzi
jsem to nezkousel) a teoreticky by to cele melo fungovat.
Mirek
More information about the Users-l
mailing list