From owner-freebsd-current@FreeBSD.ORG Fri May 21 01:02:46 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1329B16A4CE; Fri, 21 May 2004 01:02:46 -0700 (PDT) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id B66BA43D39; Fri, 21 May 2004 01:02:45 -0700 (PDT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id BAB9EACABE; Fri, 21 May 2004 10:02:18 +0200 (CEST) Date: Fri, 21 May 2004 10:02:18 +0200 From: Pawel Jakub Dawidek To: Josef Karthauser Message-ID: <20040521080218.GY845@darkness.comp.waw.pl> References: <20040520220145.GN4567@genius.tao.org.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MaQSLyDmO9KOouzV" Content-Disposition: inline In-Reply-To: <20040520220145.GN4567@genius.tao.org.uk> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: freebsd-current@freebsd.org Subject: Re: Call for a hacker.... security.bsd.see_other_uids in jails only X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 08:02:46 -0000 --MaQSLyDmO9KOouzV Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 20, 2004 at 11:01:45PM +0100, Josef Karthauser wrote: +> I was wondering whether someone might help me out. +>=20 +> There's a couple of sysctls in -current: +>=20 +> security.bsd.see_other_uids: 1 +> security.bsd.see_other_gids: 1 +>=20 +> These effectively allow one to prevent users from spying on each +> other. +>=20 +> What I need to do is to disable these within jails, but not in the +> host enviroment. The reason I need this is that I'm running the +> FreeBSD election on a box of mine, but I don't want to have to clear +> these globally. +>=20 +> Would someone have the time to hack me a patch to do this? It doesn't +> have to be clean, although evenually I'd like to see something like +> this committed to freebsd operating on a sysctl. Implementation wouldn't be probably too hard, but I can't agree it should be committed. We need to know where jail's virtualization ends and I think it is too far. Of course it will be cool to have those sysctl on per-jail basics, as well as others from security.bsd. tree (like security.bsd.suser_enabled), but I'm not sure this is the right way to go. Any other opinions? If someone convince me we should do it, I can do it. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --MaQSLyDmO9KOouzV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFArbeKForvXbEpPzQRAm6rAKDlFMx67guTfiy19Fu+JzsoUJelpgCgg9tw LA+FUaoEJnnHkmA/uAVsCtc= =o+6Q -----END PGP SIGNATURE----- --MaQSLyDmO9KOouzV--