From owner-svn-src-all@FreeBSD.ORG Thu Jul 28 15:28:46 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15219106566B; Thu, 28 Jul 2011 15:28:46 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id E26038FC19; Thu, 28 Jul 2011 15:28:45 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 6B9D046B2A; Thu, 28 Jul 2011 11:28:45 -0400 (EDT) Date: Thu, 28 Jul 2011 16:28:45 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Ben Kaduk In-Reply-To: Message-ID: References: <201107281141.p6SBfuZg002113@svn.freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="621616949-478209871-1311866925=:24841" Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Benedict Reuschling , src-committers@freebsd.org Subject: Re: svn commit: r224475 - head/usr.sbin/jail X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:28:46 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --621616949-478209871-1311866925=:24841 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Thu, 28 Jul 2011, Ben Kaduk wrote: >> @@ -914,3 +914,8 @@ directory that is moved out of the jail' >>  access to the file space outside of the jail. >>  It is recommended that directories always be copied, rather than moved, out >>  of a jail. >> +.Pp >> +It is also not recommended that users allowed root in the jail be allowed >> +access to the host system. >> +For example, a root user in a jail can create a setuid root utility that >> +could be run in the host system to achieve elevated privileges. > > Per rwatson's comment on the other jail.8 thread we've got going, we might > recommend that the separate file system for a jail might also be mounted > nosuid, which would close off this class of attack. Setting nosuid will break many common jail installations by turning off things like su(1), sudo, crontab, at, etc. I think that the better way to approach this may be to discuss, briefly, the philosophy behind Jail: it's not a virtualisation service, it's a subsetting service. A result of that is that the host system is a superset of the various containers, and has properties derived from each of them. You could imagine using various integrity/tainting schemes to avoid this issue -- a new nosuidjail (don't allow it to be setuid except in a jail), using some of our MAC-related schemes, etc. I would be tempted not to do things, but rather, to document the actual semantics and some of the implications. Robert --621616949-478209871-1311866925=:24841--