Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

if home directory cannot be read by root, errors on jail start #567

Closed
dlangille opened this issue Jun 14, 2018 · 0 comments

Comments

@dlangille
Copy link
Contributor

commented Jun 14, 2018

iocage 0.9.10 on FreeBSD 11.1

jail starts, but services in jail do not

re https://twitter.com/DLangille/status/1006964882732929031

If the mac_bsdextended kernel module and the ugidfw feature, root is not able to read user directories. This is a security choice.

example:

[dvl@dvl-test:~] $ sudo iocage start testing.localdomain     
********************************************************************************
fdescfs(5) is not mounted, performance may suffer. Please run:
mount -t fdescfs null /dev/fd
You can also permanently mount it in /etc/fstab with the following entry:
fdescfs /dev/fd  fdescfs  rw  0  0
********************************************************************************

* Starting testing_localdomain
  + Started OK
Traceback (most recent call last):
  File "/usr/local/bin/iocage", line 10, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/iocage/cli/start.py", line 54, in cli
    ioc.IOCage(exit_on_error=True, jail=jail, rc=rc).start()
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/iocage.py", line 1627, in start
    exit_on_error=self.exit_on_error)
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_start.py", line 63, in __init__
    self.__start_jail__()
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_start.py", line 333, in __start_jail__
    os.chdir(original_path)
PermissionError: [Errno 13] Permission denied: '/usr/home/dvl'
[dvl@dvl-test:~] $

This is on a system where root cannot read user home dir

[dvl@dvl-test:/tmp] $ ls -ld /usr/home/dvl
drwx------  16 dvl  systems  8192 Jun 13 18:10 /usr/home/dvl

But the jail does start:

[dvl@dvl-test:/tmp] $ iocage list
+-----+---------------------+-------+--------------+-----------+
| JID |        NAME         | STATE |   RELEASE    |    IP4    |
+=====+=====================+=======+==============+===========+
| 386 | testing.localdomain | up    | 11.1-RELEASE | 127.0.0.5 |
+-----+---------------------+-------+--------------+-----------+
[dvl@dvl-test:/tmp] $ 

But sshd does not start.

if I go to /tmp, it works:

[dvl@dvl-test:/tmp] $ sudo iocage start testing.localdomain
* Starting testing_localdomain
  + Started OK
  + Starting services OK
[dvl@dvl-test:/tmp] $ 

With the above, sshd starts in the jail

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.