Date: Mon, 6 Feb 2006 14:14:21 -0700 From: "Chad Leigh -- Shire.Net LLC" <chad@shire.net> To: =?ISO-8859-1?Q?Bj=F6rn_K=F6nig?= <bkoenig@cs.tu-berlin.de> Cc: current@freebsd.org Subject: Re: unprivileged users are able to kill certain jailed processes Message-ID: <778A6B9C-DADC-45AE-A5C8-DEFC2D2C41D4@shire.net> In-Reply-To: <43E7B1A7.8010501@cs.tu-berlin.de> References: <43E60708.9000902@cs.tu-berlin.de> <43E7494B.9040401@freebsd.org> <43E7B1A7.8010501@cs.tu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 6, 2006, at 1:29 PM, Bj=F6rn K=F6nig wrote: > Andre Oppermann schrieb: > >> [...] If you have normal users on the host and >> have jails under the same user id then, yea, tough luck. You're not >> supposed to do that. [...] > > Yes, I can prevent from overlapping UIDs, but how to prevent from =20 > that if host administrator and jail administrator are two =20 > independent parties? It requires much more carefulness and =20 > precautions. Well, the host admin, when detailing services and responsibilities to =20= the jail admin (I have a similar situation), can tell the jail admin =20 which range of UIDs to use for new users. I typically use the last =20 byte of the IP address * 100 as the base. Eg, say a jail is 192.168.1.100 then they can start with 10000 as a =20 UID and go up to 10100. Additionally, the host should ideally have no users but the bare =20 minimum for the admin. All the "host"-based users and services =20 should ideally be in their own jail. And if you can use a common base jail install mounted read only =20 inside each jail, you will greatly increase security of the jails as =20 exploits that replace system binaries will fail. gruss aus utah Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?778A6B9C-DADC-45AE-A5C8-DEFC2D2C41D4>