Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Jul 2011 09:40:53 -0700
From:      Doug Barton <dougb@FreeBSD.org>
To:        Robert Watson <rwatson@FreeBSD.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, Benedict Reuschling <bcr@freebsd.org>, src-committers@freebsd.org, Ben Kaduk <minimarmot@gmail.com>
Subject:   Re: svn commit: r224475 - head/usr.sbin/jail
Message-ID:  <4E319115.5050003@FreeBSD.org>
In-Reply-To: <alpine.BSF.2.00.1107281626360.24841@fledge.watson.org>
References:  <201107281141.p6SBfuZg002113@svn.freebsd.org> <CAK2BMK5UBM0_s_=sgRtrPNfp9aQPw8Pv4yMD4PFecbwE6CMZhg@mail.gmail.com> <alpine.BSF.2.00.1107281626360.24841@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 07/28/2011 08:28, Robert Watson wrote:
> 
> On Thu, 28 Jul 2011, Ben Kaduk wrote:
> 
>>> @@ -914,3 +914,8 @@ directory that is moved out of the jail'
>>>  access to the file space outside of the jail.
>>>  It is recommended that directories always be copied, rather than
>>> moved, out
>>>  of a jail.
>>> +.Pp
>>> +It is also not recommended that users allowed root in the jail be
>>> allowed
>>> +access to the host system.
>>> +For example, a root user in a jail can create a setuid root utility
>>> that
>>> +could be run in the host system to achieve elevated privileges.
>>
>> Per rwatson's comment on the other jail.8 thread we've got going, we
>> might recommend that the separate file system for a jail might also be
>> mounted nosuid, which would close off this class of attack.
> 
> Setting nosuid will break many common jail installations by turning off
> things like su(1), sudo, crontab, at, etc.
> 
> I think that the better way to approach this may be to discuss, briefly,
> the philosophy behind Jail: it's not a virtualisation service, it's a
> subsetting service.  A result of that is that the host system is a
> superset of the various containers, and has properties derived from each
> of them.  You could imagine using various integrity/tainting schemes to
> avoid this issue -- a new nosuidjail (don't allow it to be setuid except
> in a jail), using some of our MAC-related schemes, etc.  I would be
> tempted not to do things, but rather, to document the actual semantics
> and some of the implications.

In my jail use case (package building systems) having to put them on
separate file systems would significantly reduce their utility.

My take on the previous discussion was "Don't allow untrusted jail users
to have access to the host system" which seems like a fundamental
security principle in any case. In the absence of that precaution I'm
not sure how much more we can help.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E319115.5050003>