Date: Sat, 22 May 2004 00:31:18 +1200 From: Drew Broadley <drew@corrupt.co.nz> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: freebsd-current@freebsd.org Subject: Re: Call for a hacker.... security.bsd.see_other_uids in jails only Message-ID: <40ADF696.1020800@corrupt.co.nz> In-Reply-To: <20040521080218.GY845@darkness.comp.waw.pl> References: <20040520220145.GN4567@genius.tao.org.uk> <20040521080218.GY845@darkness.comp.waw.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek wrote: >On Thu, May 20, 2004 at 11:01:45PM +0100, Josef Karthauser wrote: >+> I was wondering whether someone might help me out. >+> >+> There's a couple of sysctls in -current: >+> >+> security.bsd.see_other_uids: 1 >+> security.bsd.see_other_gids: 1 >+> >+> These effectively allow one to prevent users from spying on each >+> other. >+> >+> What I need to do is to disable these within jails, but not in the >+> host enviroment. The reason I need this is that I'm running the >+> FreeBSD election on a box of mine, but I don't want to have to clear >+> these globally. >+> >+> Would someone have the time to hack me a patch to do this? It doesn't >+> have to be clean, although evenually I'd like to see something like >+> this committed to freebsd operating on a sysctl. > >Implementation wouldn't be probably too hard, but I can't agree it should >be committed. We need to know where jail's virtualization ends and I think >it is too far. Of course it will be cool to have those sysctl on per-jail >basics, as well as others from security.bsd. tree >(like security.bsd.suser_enabled), but I'm not sure this is the right way >to go. > >Any other opinions? If someone convince me we should do it, I can do it. > > Surely this persons requirements are far and beyond what chroot (jail) has to offer. If they want the ability to change sysctl values per jail, why not just set up virtual machines per user ? Surely this would give him the flexibility he needs and the pure security of users not seeing other users jails ? That's my two cent's, and it saves a lot of unnecessary hard work. - Drew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40ADF696.1020800>