From owner-freebsd-current@FreeBSD.ORG  Sat May 15 10:52:20 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 22F5E16A4CE; Sat, 15 May 2004 10:52:20 -0700 (PDT)
Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id BBC5943D53; Sat, 15 May 2004 10:52:18 -0700 (PDT)
	(envelope-from pjd@darkness.comp.waw.pl)
Received: by darkness.comp.waw.pl (Postfix, from userid 1009)
	id E95D9ACAE0; Sat, 15 May 2004 19:52:15 +0200 (CEST)
Date: Sat, 15 May 2004 19:52:15 +0200
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Julian Elischer <julian@elischer.org>
Message-ID: <20040515175215.GA845@darkness.comp.waw.pl>
References: <Pine.BSF.4.21.0405141637420.85816-100000@InterJet.elischer.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="9MdG657QzbOEWl1C"
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0405141637420.85816-100000@InterJet.elischer.org>
User-Agent: Mutt/1.4.2i
X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc
X-OS: FreeBSD 5.2.1-RC2 i386
cc: rwatson@freebsd.org
cc: FreeBSD current users <current@FreeBSD.ORG>
Subject: Re: jail and chflags [patch]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 May 2004 17:52:20 -0000


--9MdG657QzbOEWl1C
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, May 14, 2004 at 05:25:16PM -0700, Julian Elischer wrote:
+>=20
+> I have several situations where I use jails, but I also need to allow=20
+> processes to do 'chflags'.=20
+> I trust these jailed processes, as I'm using jails to allow different
+> versions of the same software to run, rather than to isolate untrusted
+> users from each other...
+>=20
+> More confusingly it seems that chflags IS allowed in -current jails
+> despite the fact that teh comments say they are not..
+>=20
+> At the bottom is a patch I propose (releative to 4.8 which I=20
+> use in production) for allowing a sysctl that decides whether
+> chflags is permitted in a jail..
+>=20
+> However, in -current the same code is:
+>                 /*
+>                  * Unprivileged processes and privileged processes in
+>                  * jail() are not permitted to unset system flags, or
+>                  * modify flags if any system flags are set.
+>                  * Privileged non-jail processes may not modify system f=
lags
+>                  * if securelevel > 0 and any existing system flags are =
set.
+>                  */
+>                 if (!suser_cred(cred, PRISON_ROOT)) {
+>                         if (ip->i_flags
+>                             & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
+>                                 error =3D securelevel_gt(cred, 0);
+>                                 if (error)
+>                                         return (error);
+>                         }
+> [...]
+> 		} else {
+> [...]
+>=20
+> which to me is confusing because suser_cred(cred, PRISON_ROOT)
+> should return 0 for a jailed root and thus allow it...
+> despite what the coment says.
+> "man 9 suser" says that the PRISON_ROOT flag should be used to ALLOW
+> root privs in a jail. (and the code seems to agree)
+>=20
+> in fact experimentation in -current shows this to be correct..
+> in a jail:
+>=20
+> xxx#  chflags noschg libthr.so.1
+> xxx# ls -lo libthr.so.1
+> -r--r--r--  1 root  wheel  - 611568 May 15 00:02 libthr.so.1
+> xxx# chflags schg libthr.so.1
+> xxx# ls -lo libthr.so.1
+> -r--r--r--  1 root  wheel  schg 611568 May 15 00:02 libthr.so.1
+> xxx# =20
+>=20
+> comments? yeahs? neys?

Whoa! This looks very serious.

I agree with your fix, but few words about patch:
1. We should first commit it to -CURRENT.
2. We should also fix extfs2.
3. Maybe we rename sysctl name to
   security.jail.allow_system_flags_modifications?
   Not too short, but it isn't UFS-specific and I'll be glad if we keep
   all jail-related sysctls in security.jail. tree.

What's your opinion about my patch?

	http://people.freebsd.org/~pjd/patches/jail2.patch

--=20
Pawel Jakub Dawidek                       http://www.FreeBSD.org
pjd@FreeBSD.org                           http://garage.freebsd.pl
FreeBSD committer                         Am I Evil? Yes, I Am!

--9MdG657QzbOEWl1C
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFApljPForvXbEpPzQRAtL2AKCI8LwdmefQbX0SaKcn//fPbyXvAQCeITNn
ugZ2vMZbzajDv6FcR/6wdq0=
=ziEF
-----END PGP SIGNATURE-----

--9MdG657QzbOEWl1C--