From owner-freebsd-hackers@FreeBSD.ORG Thu Dec 3 07:56:06 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98C79106566B; Thu, 3 Dec 2009 07:56:06 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 32D448FC15; Thu, 3 Dec 2009 07:56:06 +0000 (UTC) Received: from outgoing.leidinger.net (pD954EF6C.dip.t-dialin.net [217.84.239.108]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 225C0844D54; Thu, 3 Dec 2009 08:55:58 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id C1D1F926AF; Thu, 3 Dec 2009 08:55:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1259826952; bh=KG0QrBmoM4FesWiji+2qvy3wtF6n4TeBrJPyXMMmzbs=; h=Message-ID:Date:From:To:Cc:Subject:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=mGF5/Rt1dNdlMRrMfLTMfVT6FG51N3ceHhvzhU8UXD5bng80vquee8z4uzjr4ZPLW azaLMOPJ9HJ138FRBrc7vXkNRuQhpX0dIeh8bSn3kLiHT/N4TUrFvCbK4nM2+3gQGS pjXADFu7gfck27MTxKt4NAfpCUGxBQXOLys5xa8zHltj9nKb7bpqe7bo2UbIAcI0dP UpVLYJe90AyzC95FHTTGbatTD34nijd4qmUxpePzV3jy2KcKvgVOh8+YpccUlaYiMs 8lNbMMwnIjhDTGCb3mZ7jlppGPUSeqPLfqQMaSneDwgv/f09UtUlTFOq5u0N/48eDi r6rbVr9QreINA== Received: (from www@localhost) by webmail.leidinger.net (8.14.3/8.13.8/Submit) id nB37tpEK009894; Thu, 3 Dec 2009 08:55:51 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Thu, 03 Dec 2009 08:55:51 +0100 Message-ID: <20091203085551.14402tdw5nwmmm0w@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Thu, 03 Dec 2009 08:55:51 +0100 From: Alexander Leidinger To: Julian Elischer References: <20091130142950.GA86528@logik.internal.network> <20091130150127.GA82188@logik.internal.network> <237c27100912010722g2f6c4647ga82370284bc26e20@mail.gmail.com> <20091202111600.12126yini7bmy4o4@webmail.leidinger.net> <4B16A73D.4040503@elischer.org> In-Reply-To: <4B16A73D.4040503@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.5) / FreeBSD-8.0 X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 225C0844D54.7C001 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-1.363, required 6, autolearn=disabled, ALL_TRUSTED -1.44, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00, TW_EV 0.08) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1260431760.2244@kSvSGtzwb1u+AVb8QA3C4A X-EBL-Spam-Status: No X-Mailman-Approved-At: Thu, 03 Dec 2009 12:31:24 +0000 Cc: freebsd-hackers@freebsd.org, Linda Messerschmidt , Ivan Voras Subject: Re: UNIX domain sockets on nullfs still broken? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 07:56:06 -0000 Quoting Julian Elischer (from Wed, 02 Dec 2009 09:43:25 -0800): > Alexander Leidinger wrote: >> Quoting Linda Messerschmidt (from >> Tue, 1 Dec 2009 10:22:02 -0500): >> >>> On Mon, Nov 30, 2009 at 10:14 AM, Ivan Voras wrote: >>>>> What's the sane solution, then, when the only method of communication >>>>> is unix domain sockets? >>>> >>>> It is a security problem. I think the long-term solution would be to add a >>>> sysctl analogous to security.jail.param.securelevel to handle this. >>> >>> Out of curiosity, why is allowing accessing to a Unix domain socket in >>> a filesystem to which a jail has explicitly been allowed access more >>> or less secure than allowing access to a file or a devfs node in a >>> filesystem to which a jail has explicitly been allowed access? >> >> Answer A: There is no difference. >> >> Answer B: You open up a direct communication channel between two >> systems, which may not have been able to communicate before >> (firewall rules, ...). With files you can do something similar too, >> but having a socket there makes it more easy and you do not need to >> write extra code. It is similar to enabling SHM access in jails >> (currently all jails share the same SHM area). And depending on the >> application with the socket, you may be able to change files on the >> other side, to which you do not have access to otherwise (think >> about a daemon which changes passwords...). > > I have used chroots and jails in a way that relies on the ability of a > shared unix domain pipe being usable to communicate between them, and > I also see why it may not be good. What worries me is, that it seems from comments in this thread, that nullfs is having a tighter security regarding jails than UFS/ZFS. I think all should work consistently in this regard (which would mean there will be a regression for some people if we switch UFS/ZFS to work in the same way). > I suggest that the ability to do so might be somehow controllable by > the jail creator in some way. > >> >> Answer A is good if you control what is run where and how, and if >> you use jails for easy data migration and program separation >> (lightweight virtualization). >> >> Answer B is valid if you are an ISP which rents jails (in this case >> you do not share a FS read-write anyway (at leat you shouldn't) and >> the point does not really matter). >> >> Pick the answer depending on your viewpoint / security requirements >> and the software you are using. >> >> As both points are valid, we should provide the possibility to have >> both situations working. > > yes please. > A sysctl would do at a pinch, but maybe a per-jail setting might be > possible too. Per-Jail is not a problem, I just need to know where the priv check is which is causing this behavior (so far I thought it is some limitation of nullfs and not a priv check). So far I hadn't the time to search for it, I want to finish the import of v4l in the linuxulator first. Bye, Alexander. -- BOFH excuse #102: Power company testing new voltage spike (creation) equipment http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137