From nobody@FreeBSD.org  Thu Sep 21 05:03:48 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F1D7F16A407
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 21 Sep 2006 05:03:48 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BD5ED43D46
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 21 Sep 2006 05:03:48 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k8L53mPl090676
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 21 Sep 2006 05:03:48 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k8L53md5090675;
	Thu, 21 Sep 2006 05:03:48 GMT
	(envelope-from nobody)
Message-Id: <200609210503.k8L53md5090675@www.freebsd.org>
Date: Thu, 21 Sep 2006 05:03:48 GMT
From: "Jukka A. Ukkonen" <jau@iki.fi>
To: freebsd-gnats-submit@FreeBSD.org
Subject: "mount -o nodev" was useful for preventing escape from chroot/jail etc.
X-Send-Pr-Version: www-2.3

>Number:         103447
>Category:       kern
>Synopsis:       "mount -o nodev" was useful for preventing escape from chroot/jail etc.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 21 05:10:20 GMT 2006
>Closed-Date:    Sat Jan 27 18:46:28 GMT 2007
>Last-Modified:  Sat Jan 27 18:46:28 GMT 2007
>Originator:     Jukka A. Ukkonen
>Release:        6.2-PRERELEASE
>Organization:
private person
>Environment:
FreeBSD mjolnir 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #2: Wed Sep 20 08:33:47 EEST 2006     root@mjolnir:/usr/obj/usr/src/sys/Mjolnir  i386

>Description:
It seems the mount option nodev no longer exists.
It had its merits in making it harder to escape from chroot/jail.
One known method for such escapes has been making a new device entry
matching the major and minor device numbers of the actual /, mounting
it inside the confinded file system, and chroot()ing to it.

Now that devfs is the only place where device entries should live
having nodev around would make all the more sense.
All the other mount points could be marked nodev in the fstab.

>How-To-Repeat:
An easy way to test the "nodev" option is gone is to simply try using it with
a suitable test mount point.
"mount -o nodev" and the option "nodev" in fstab no longer are shown in
the output of "mount -p".
Also <sys/mount.h> defines it as...
#define MNT_NODEV       0               /* Deprecated option */

The normal file systems still can contain device nodes as before...
mknod rootdev c 0 142
The mknod creates a copy of a geom mirror used as the actual system root
in the system this was tried on.

Though jail can confine areas better than plain chroot also the latter
one will be around for quite some time. Having "mount -o nodev" around
would be one more addition to the layered onion like security.

>Fix:
If the nodev option was not awfully hard to maintain, please, return it to
the system.

>Release-Note:
>Audit-Trail:

From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
To: "Jukka A. Ukkonen" <jau@iki.fi>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/103447: "mount -o nodev" was useful for preventing escape from chroot/jail etc. 
Date: Thu, 21 Sep 2006 05:14:58 +0000

 In message <200609210503.k8L53md5090675@www.freebsd.org>, "Jukka A. Ukkonen" wr
 ites:
 
 >It seems the mount option nodev no longer exists.
 >It had its merits in making it harder to escape from chroot/jail.
 >One known method for such escapes has been making a new device entry
 >matching the major and minor device numbers of the actual /, mounting
 >it inside the confinded file system, and chroot()ing to it.
 >
 >Now that devfs is the only place where device entries should live
 >having nodev around would make all the more sense.
 >All the other mount points could be marked nodev in the fstab.
 
 Not only is devfs the only place where device entries should
 live, it is the only place where they can work.
 
 If you make a device node in any other filesystem type, it won't
 work, no matter which major/minor numbers you give it.
 
 Nodev is implicit that way.
 
 We retain the ability to create devicenodes in other filesystems
 only for being able to handle diskless clients of other, mostly
 antique, operating systems.
 
 -- 
 Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
 phk@FreeBSD.ORG         | TCP/IP since RFC 956
 FreeBSD committer       | BSD since 4.3-tahoe    
 Never attribute to malice what can adequately be explained by incompetence.
State-Changed-From-To: open->closed 
State-Changed-By: rodrigc 
State-Changed-When: Sat Jan 27 18:45:33 UTC 2007 
State-Changed-Why:  
With devfs in the tree, -o nodev is gone, and is not coming back. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=103447 
>Unformatted:
