Date: Mon, 9 Sep 2002 08:49:34 -0600 (MDT) From: bsd@xtremedev.com To: Adrian Filipi-Martin <adrian+freebsd-security@ubergeeks.com> Cc: Benjamin Krueger <benjamin@seattleFenix.net>, Hans Zaunere <zaunere@yahoo.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: jail() House Rock Message-ID: <20020909084601.K27444-100000@Amber.XtremeDev.com> In-Reply-To: <20020909102116.M8908-100000@lorax.ubergeeks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> A reasonable solution is to block access to the jailed filesystems > from non-jailed accounts. Just do the following: > > install -m u=rwx,go= -d /usr/fence > install -d /usr/fence/jail > > Then use the fenced off directory as your jail root. We are > successfully running desktops with multiple developer jails in this sort of > configuration and things work great. This exclued anyone but root from > using suid binaries from a jail, and well, root's already root. Er, I don't believe this solves the issue. If the user knows the full path from the host system to the suid binary s/he created in the jail, s/he can access it directly as a regular use in the host environment. Ie., typing in: /usr/fence/jail/usr/home/baduser/bin/rootshell Please correct me if I'm wrong or if I've misunderstood. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020909084601.K27444-100000>