From owner-svn-src-all@FreeBSD.ORG Thu Jul 28 16:40:54 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 345EA1065670; Thu, 28 Jul 2011 16:40:54 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 65-241-43-4.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id A7669152409; Thu, 28 Jul 2011 16:40:53 +0000 (UTC) Message-ID: <4E319115.5050003@FreeBSD.org> Date: Thu, 28 Jul 2011 09:40:53 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:5.0) Gecko/20110723 Thunderbird/5.0 MIME-Version: 1.0 To: Robert Watson References: <201107281141.p6SBfuZg002113@svn.freebsd.org> In-Reply-To: X-Enigmail-Version: 1.2pre OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Benedict Reuschling , src-committers@freebsd.org, Ben Kaduk Subject: Re: svn commit: r224475 - head/usr.sbin/jail X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 16:40:54 -0000 On 07/28/2011 08:28, Robert Watson wrote: > > On Thu, 28 Jul 2011, Ben Kaduk wrote: > >>> @@ -914,3 +914,8 @@ directory that is moved out of the jail' >>> access to the file space outside of the jail. >>> It is recommended that directories always be copied, rather than >>> moved, out >>> of a jail. >>> +.Pp >>> +It is also not recommended that users allowed root in the jail be >>> allowed >>> +access to the host system. >>> +For example, a root user in a jail can create a setuid root utility >>> that >>> +could be run in the host system to achieve elevated privileges. >> >> Per rwatson's comment on the other jail.8 thread we've got going, we >> might recommend that the separate file system for a jail might also be >> mounted nosuid, which would close off this class of attack. > > Setting nosuid will break many common jail installations by turning off > things like su(1), sudo, crontab, at, etc. > > I think that the better way to approach this may be to discuss, briefly, > the philosophy behind Jail: it's not a virtualisation service, it's a > subsetting service. A result of that is that the host system is a > superset of the various containers, and has properties derived from each > of them. You could imagine using various integrity/tainting schemes to > avoid this issue -- a new nosuidjail (don't allow it to be setuid except > in a jail), using some of our MAC-related schemes, etc. I would be > tempted not to do things, but rather, to document the actual semantics > and some of the implications. In my jail use case (package building systems) having to put them on separate file systems would significantly reduce their utility. My take on the previous discussion was "Don't allow untrusted jail users to have access to the host system" which seems like a fundamental security principle in any case. In the absence of that precaution I'm not sure how much more we can help. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/