From owner-freebsd-security@FreeBSD.ORG Fri Jul 19 22:39:38 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 31912BC7; Fri, 19 Jul 2013 22:39:38 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) by mx1.freebsd.org (Postfix) with ESMTP id 9FE94663; Fri, 19 Jul 2013 22:39:36 +0000 (UTC) Received: from park.js.berklix.net (p5DCBFD87.dip0.t-ipconnect.de [93.203.253.135]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id r6JMdYbK005494; Fri, 19 Jul 2013 22:39:34 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.14.3/8.14.3) with ESMTP id r6JMdLuO006152; Sat, 20 Jul 2013 00:39:21 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id r6JMcvO2083730; Sat, 20 Jul 2013 00:39:03 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201307192239.r6JMcvO2083730@fire.js.berklix.net> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: /dev/pts/0 in a jail shows no one is observing from outer prison. From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Fri, 19 Jul 2013 08:34:45 +0200." <86d2qfdpmi.fsf@nine.des.no> Date: Sat, 20 Jul 2013 00:38:57 +0200 Sender: jhs@berklix.com Cc: freebsd-security@freebsd.org, freebsd-jail@freebsd.org, np@bsn.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jul 2013 22:39:38 -0000 Hi, Reference: > From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= > Date: Fri, 19 Jul 2013 08:34:45 +0200 =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote: > "Julian H. Stacey" writes: > > A ssh to a jail followed by Who, if it shows just pts/0, shows > > no one else is logged in { within jail And Also Outer Prison > > [And presumably also other parallel jails] }. > > Not really, it just shows that pts/0 was available. Like file > descriptors, pseudo-ttys are allocated on a first-unused basis. There > could be twenty people logged in; if the first logs out, the > twenty-first gets pts/0. Thanks DES, Yes, I suppose so, on busy hardware. It was more obvious what was going on with my prison & jail as that was lightly logged in. If FreeBSD wanted to obscure the information, I suppose one could do a kernel tweak to do pty allocation from a cyclic buffer, (like PID IDs) rather than searching sequentially from 0 each time, but I guess there's more interesting things to do than that. > Also, please read the warning at the start of the jail chapter in the > FreeBSD handbook. Wow ! Light dawns brightly ! > I should probably update it to note that there are > many ways in which information can leak between jails and the host. If so do, maybe add http://lists.freebsd.org/mailman/listinfo/freebsd-jail next to http://lists.freebsd.org/mailman/listinfo/freebsd-questions If you think appropriate. Thanks. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.