From owner-freebsd-current@FreeBSD.ORG Fri May 14 17:25:20 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 826C116A4CE for ; Fri, 14 May 2004 17:25:20 -0700 (PDT) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id D902243D1F for ; Fri, 14 May 2004 17:25:18 -0700 (PDT) (envelope-from julian@elischer.org) Received: from interjet.elischer.org ([24.7.73.28]) by comcast.net (rwcrmhc13) with ESMTP id <2004051500251801500mts67e>; Sat, 15 May 2004 00:25:18 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id RAA90543 for ; Fri, 14 May 2004 17:25:17 -0700 (PDT) Date: Fri, 14 May 2004 17:25:16 -0700 (PDT) From: Julian Elischer To: FreeBSD current users Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: jail and chflags [patch] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 May 2004 00:25:20 -0000 I have several situations where I use jails, but I also need to allow processes to do 'chflags'. I trust these jailed processes, as I'm using jails to allow different versions of the same software to run, rather than to isolate untrusted users from each other... More confusingly it seems that chflags IS allowed in -current jails despite the fact that teh comments say they are not.. At the bottom is a patch I propose (releative to 4.8 which I use in production) for allowing a sysctl that decides whether chflags is permitted in a jail.. However, in -current the same code is: /* * Unprivileged processes and privileged processes in * jail() are not permitted to unset system flags, or * modify flags if any system flags are set. * Privileged non-jail processes may not modify system flags * if securelevel > 0 and any existing system flags are set. */ if (!suser_cred(cred, PRISON_ROOT)) { if (ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) { error = securelevel_gt(cred, 0); if (error) return (error); } [...] } else { [...] which to me is confusing because suser_cred(cred, PRISON_ROOT) should return 0 for a jailed root and thus allow it... despite what the coment says. "man 9 suser" says that the PRISON_ROOT flag should be used to ALLOW root privs in a jail. (and the code seems to agree) in fact experimentation in -current shows this to be correct.. in a jail: xxx# chflags noschg libthr.so.1 xxx# ls -lo libthr.so.1 -r--r--r-- 1 root wheel - 611568 May 15 00:02 libthr.so.1 xxx# chflags schg libthr.so.1 xxx# ls -lo libthr.so.1 -r--r--r-- 1 root wheel schg 611568 May 15 00:02 libthr.so.1 xxx# comments? yeahs? neys? julian Index: sys/ufs/ufs/ufs_vnops.c =================================================================== RCS file: /repos/projects/mirrored/freebsd/src/sys/ufs/ufs/ufs_vnops.c,v retrieving revision 1.131.2.8 diff -u -r1.131.2.8 ufs_vnops.c --- sys/ufs/ufs/ufs_vnops.c 2003/01/02 17:26:19 1.131.2.8 +++ sys/ufs/ufs/ufs_vnops.c 2004/05/14 23:36:20 @@ -57,6 +57,7 @@ #include #include #include +#include #include #include @@ -426,6 +427,11 @@ return (0); } +SYSCTL_DECL(_vfs_ufs); +static int ufs_jail_flags = 0; +SYSCTL_INT(_vfs_ufs, OID_AUTO, jail_flags, CTLFLAG_RW, &ufs_jail_flags, + 0, "allow chflags in a jail"); + /* * Set attribute vnode op. called from several syscalls */ @@ -460,7 +466,8 @@ if (cred->cr_uid != ip->i_uid && (error = suser_xxx(cred, p, PRISON_ROOT))) return (error); - if ((cred->cr_uid == 0) && (p->p_prison == NULL)) { + if ((cred->cr_uid == 0) && ((p->p_prison == NULL) || + (ufs_jail_flags != 0))) { if ((ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) && securelevel > 0)