Date: Tue, 10 May 2011 23:21:51 -0700 From: Bakul Shah <bakul@bitblocks.com> To: Janne Snabb <snabb@epipe.com> Cc: Jamie Landeg Jones <jamie@bishopston.net>, Jason Hellenthal <jhell@DataIX.net>, feld@feld.me, Edho P Arief <edhoprima@gmail.com>, freebsd-security@freebsd.org, Poul-Henning Kamp <phk@phk.freebsd.dk>, Bakul Shah <bakul@bitblocks.com>, =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) Message-ID: <20110511062151.2731EB827@mail.bitblocks.com> In-Reply-To: Your message of "Wed, 11 May 2011 05:28:16 -0000." <alpine.BSF.2.00.1105110456050.33272@tiktik.epipe.com> References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> <alpine.BSF.2.00.1105110456050.33272@tiktik.epipe.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 May 2011 05:28:16 -0000 Janne Snabb <snabb@epipe.com> wrote: > On Tue, 10 May 2011, Bakul Shah wrote: > > > Dumb question: the jail command can refuse to run unless the > > parent of a jail root is 0700. Would that work? No kernel hack > > required. > > I do not think that this should be enforced in kernel, in the jail(8) > command nor anywhere else. UNIX rm(1) is not opening a pop-up window > asking "are you sure?" if you do "rm -rf /". The OS should not > impose arbitrary restrictions based on some random assumptions on > how a particular OS facility is going to be used. ... > This should go in to the documentation as a recommendation for some > common jail use cases, but seriously, really not in the code, please. > > In UNIX we do not want to prevent people from shooting themselves > in the foot. We should assume that the system administrator knows > what they want and should not restrict their freedom to do so. I agree that people should not be prevented from shooting themselves in the foot but I do suggest that "accidental" footshooting can be prevented by leaving the gun safey on. Force them to take some explicit action for footshooting! So let me modify my dumb suggestion: allow running a jail if either the jail's parent dir has mode 0700 or the user specified -f flag (analogous to rm -f). [You may still not like it, but so it goes!]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110511062151.2731EB827>