From owner-freebsd-current@FreeBSD.ORG Sun May 18 16:21:26 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 760C7106564A for ; Sun, 18 May 2008 16:21:26 +0000 (UTC) (envelope-from jille@quis.cx) Received: from smtp3.versatel.nl (smtp3.versatel.nl [62.58.50.90]) by mx1.freebsd.org (Postfix) with ESMTP id DF6C38FC17 for ; Sun, 18 May 2008 16:21:25 +0000 (UTC) (envelope-from jille@quis.cx) Received: (qmail 10229 invoked by uid 0); 18 May 2008 16:21:23 -0000 Received: from ip83-113-174-82.adsl2.versatel.nl (HELO istud.quis.cx) ([82.174.113.83]) (envelope-sender ) by smtp3.versatel.nl (qmail-ldap-1.03) with SMTP for < >; 18 May 2008 16:21:23 -0000 Received: by istud.quis.cx (Postfix, from userid 100) id 788093981E; Sun, 18 May 2008 18:21:23 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on istud.quis.cx X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.4 Received: from [192.168.1.4] (ille [192.168.1.4]) by istud.quis.cx (Postfix) with ESMTP id EBB6B3981B for ; Sun, 18 May 2008 18:21:20 +0200 (CEST) Message-ID: <48305779.8020606@quis.cx> Date: Sun, 18 May 2008 18:21:13 +0200 From: Jille Timmermans User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-current@freebsd.org X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Unprivileged jail_attach X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 16:21:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I was thinking about creating a way to do jail_attach as non-root. My idea is to create some sort of an 'uid conversion table'. eg: root@host# jail /usr/jails/jail1/ jail1.host 127.0.0.2 /bin/sh /etc/rc root@host# jail_allowuser 1 65534 0 # jid host-uid jail-uid root@host# su nobody nobody@host$ jexec 1 bash root@jail1# All (non-root) users wanting to attach a jail without being in this conversion table will get EPERM. Root will always get SUCCESS. Users in the conversion table will be put in the jail with the new (or same) uid. This would be useful for eg, users wanting to have their own jail. Or authentication systems (sshd) that can put users in some jail, without becoming root first. What do you think about it ? - -- Jille -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) iEYEARECAAYFAkgwV3gACgkQacI4LQTe9EWMswCgv+eLzus5eu0LtM9cawinM0hN isYAniNey7vHE5KNqyVE5Tyk9RbJXy1c =xS+J -----END PGP SIGNATURE-----