From owner-freebsd-current@FreeBSD.ORG  Mon Feb  6 13:04:12 2006
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: current@freebsd.org
Delivered-To: freebsd-current@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C28BF16A420
	for <current@freebsd.org>; Mon,  6 Feb 2006 13:04:12 +0000 (GMT)
	(envelope-from andre@freebsd.org)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 13E0943D53
	for <current@freebsd.org>; Mon,  6 Feb 2006 13:04:11 +0000 (GMT)
	(envelope-from andre@freebsd.org)
Received: (qmail 61644 invoked from network); 6 Feb 2006 13:02:07 -0000
Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47])
	(envelope-sender <andre@freebsd.org>)
	by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
	for <bkoenig@cs.tu-berlin.de>; 6 Feb 2006 13:02:07 -0000
Message-ID: <43E7494B.9040401@freebsd.org>
Date: Mon, 06 Feb 2006 14:04:11 +0100
From: Andre Oppermann <andre@freebsd.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.8b) Gecko/20050217
MIME-Version: 1.0
To: =?ISO-8859-15?Q?Bj=F6rn_K=F6nig?= <bkoenig@cs.tu-berlin.de>
References: <43E60708.9000902@cs.tu-berlin.de>
In-Reply-To: <43E60708.9000902@cs.tu-berlin.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 8bit
Cc: current@freebsd.org
Subject: Re: unprivileged users are able to kill certain jailed processes
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2006 13:04:12 -0000

Björn König wrote:
> Hello,
> 
> unprivileged users of the host environment can see jailed processes with 
> the same user ID. Furthermore they are able to send signals to these 
> processes. I think since users are not allowed to imprison processes 
> there is no reason why they should see them or even kill them.

 From the hosts point of view a jail is like a user and all processes in
that jail are of that user.  If you have normal users on the host and
have jails under the same user id then, yea, tough luck.  You're not
supposed to do that.  The purpose of jail is to protect the host from
what is running in the jail, not the other way around.

-- 
Andre