Date: Thu, 28 Jul 2011 16:28:45 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Ben Kaduk <minimarmot@gmail.com> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Benedict Reuschling <bcr@freebsd.org>, src-committers@freebsd.org Subject: Re: svn commit: r224475 - head/usr.sbin/jail Message-ID: <alpine.BSF.2.00.1107281626360.24841@fledge.watson.org> In-Reply-To: <CAK2BMK5UBM0_s_=sgRtrPNfp9aQPw8Pv4yMD4PFecbwE6CMZhg@mail.gmail.com> References: <201107281141.p6SBfuZg002113@svn.freebsd.org> <CAK2BMK5UBM0_s_=sgRtrPNfp9aQPw8Pv4yMD4PFecbwE6CMZhg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --621616949-478209871-1311866925=:24841 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Thu, 28 Jul 2011, Ben Kaduk wrote: >> @@ -914,3 +914,8 @@ directory that is moved out of the jail' >> access to the file space outside of the jail. >> It is recommended that directories always be copied, rather than moved, out >> of a jail. >> +.Pp >> +It is also not recommended that users allowed root in the jail be allowed >> +access to the host system. >> +For example, a root user in a jail can create a setuid root utility that >> +could be run in the host system to achieve elevated privileges. > > Per rwatson's comment on the other jail.8 thread we've got going, we might > recommend that the separate file system for a jail might also be mounted > nosuid, which would close off this class of attack. Setting nosuid will break many common jail installations by turning off things like su(1), sudo, crontab, at, etc. I think that the better way to approach this may be to discuss, briefly, the philosophy behind Jail: it's not a virtualisation service, it's a subsetting service. A result of that is that the host system is a superset of the various containers, and has properties derived from each of them. You could imagine using various integrity/tainting schemes to avoid this issue -- a new nosuidjail (don't allow it to be setuid except in a jail), using some of our MAC-related schemes, etc. I would be tempted not to do things, but rather, to document the actual semantics and some of the implications. Robert --621616949-478209871-1311866925=:24841--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1107281626360.24841>