From owner-freebsd-jail@FreeBSD.ORG Mon Apr 12 13:25:54 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B5B91065670; Mon, 12 Apr 2010 13:25:54 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id D95418FC0A; Mon, 12 Apr 2010 13:25:53 +0000 (UTC) Received: from 68-189-245-235.dhcp.oxfr.ma.charter.com ([68.189.245.235] helo=cube.entropy.prv) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1O1JN5-000EGg-GZ; Mon, 12 Apr 2010 09:08:16 -0400 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by cube.entropy.prv (Postfix) with ESMTP id B7DE23E48FAF; Mon, 12 Apr 2010 09:08:11 -0400 (EDT) Message-ID: <4BC31B31.6060201@FreeBSD.org> Date: Mon, 12 Apr 2010 09:08:01 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "Erich Jenkins, Fuujin Group Ltd" References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> In-Reply-To: <4BC2E662.1050007@fuujingroup.com> X-Enigmail-Version: 0.96.0 OpenPGP: id=1C940290 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.4 (/) Cc: freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 13:25:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erich Jenkins, Fuujin Group Ltd wrote: > Kalle M=C3=B8ller wrote: > >> Could you please make a command list on what your doing and with >> output.. like this ... >> >> --=20 >> >> Med Venlig Hilsen >> >> Kalle R. M=C3=B8ller > >=20 > Here's what I'm seeing: >=20 > jail0495> pwd > /usr/home/testuser > jail0495> ll > -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history > drwxr--r-- 2 root wheel 1024 Apr 12 02:22 testdir > jail0495> users > testuser > jail0495> cd testdir > jail0495> ll > -rw-r--r-- 2 root wheel 4096 Apr 12 02:24 textfile.txt > jail0495> rm textfile.txt > override rw-r--r-- root/wheel for textfile.txt ? y > jail0495> ll > total 0 > jail0495> >=20 > As you can see, this is of great concern. >=20 Hi Erich, I use jails extensively on my company systems here, so I am interested in this problem. I set up a test environment that I believe mirrors your= s: jail54# pwd /usr/home/glarkin jail54# ls -al testdir total 6 drwxr--r-- 2 root wheel 512 Apr 12 08:52 . drwxr-xr-x 5 glarkin glarkin 512 Apr 12 08:52 .. - -rw-r--r-- 1 root wheel 7 Apr 12 08:52 foo.txt jail54# # exit [glarkin@jail54 ~]$ cd testdir - -bash: cd: testdir: Permission denied [glarkin@jail54 ~]$ rm testdir/foo.txt rm: testdir/foo.txt: Permission denied [glarkin@jail54 ~]$ rm -rf testdir rm: testdir/foo.txt: Permission denied rm: testdir: Directory not empty My situation is slightly different than yours, since my jails are based on FreeBSD 6.4, instead of 7.x. As a first step to troubleshooting, please log in to your jail as your non-privileged user, run the following commands from its home directory, then post the permtest1.log and permtest2.log files somewhere that we can review them: truss -f -a -s 256 -o permtest1.log cd testdir truss -f -a -s 256 -o permtest2.log rm testdir/textfile.txt Also run the "df" and "mount" commands from the user's home directory inside the jail as well as from the same directory but outside of the jail context. Please post the output of those commands somewhere as well= . Thank you, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/sourcehosting/ - Follow me, follow you -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFLwxsx0sRouByUApARAtTPAJ9sacXc0MdWT9CwYUXTBu7i+Ks+qwCePUN4 D5EwzGjeAaCCdMMtsbr0G60=3D =3DYPlm -----END PGP SIGNATURE-----