From owner-freebsd-current@FreeBSD.ORG Mon Feb 6 21:14:23 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8521D16A420 for ; Mon, 6 Feb 2006 21:14:23 +0000 (GMT) (envelope-from chad@shire.net) Received: from hobbiton.shire.net (mail.shire.net [166.70.252.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36A4B43D49 for ; Mon, 6 Feb 2006 21:14:22 +0000 (GMT) (envelope-from chad@shire.net) Received: from [67.161.222.227] (helo=[192.168.99.68]) by hobbiton.shire.net with esmtpa (Exim 4.51) id 1F6Dgk-0006rV-4N; Mon, 06 Feb 2006 14:14:22 -0700 In-Reply-To: <43E7B1A7.8010501@cs.tu-berlin.de> References: <43E60708.9000902@cs.tu-berlin.de> <43E7494B.9040401@freebsd.org> <43E7B1A7.8010501@cs.tu-berlin.de> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <778A6B9C-DADC-45AE-A5C8-DEFC2D2C41D4@shire.net> Content-Transfer-Encoding: quoted-printable From: "Chad Leigh -- Shire.Net LLC" Date: Mon, 6 Feb 2006 14:14:21 -0700 To: =?ISO-8859-1?Q?Bj=F6rn_K=F6nig?= X-Mailer: Apple Mail (2.746.2) X-SA-Exim-Connect-IP: 67.161.222.227 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on hobbiton.shire.net); SAEximRunCond expanded to false Cc: current@freebsd.org Subject: Re: unprivileged users are able to kill certain jailed processes X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2006 21:14:23 -0000 On Feb 6, 2006, at 1:29 PM, Bj=F6rn K=F6nig wrote: > Andre Oppermann schrieb: > >> [...] If you have normal users on the host and >> have jails under the same user id then, yea, tough luck. You're not >> supposed to do that. [...] > > Yes, I can prevent from overlapping UIDs, but how to prevent from =20 > that if host administrator and jail administrator are two =20 > independent parties? It requires much more carefulness and =20 > precautions. Well, the host admin, when detailing services and responsibilities to =20= the jail admin (I have a similar situation), can tell the jail admin =20 which range of UIDs to use for new users. I typically use the last =20 byte of the IP address * 100 as the base. Eg, say a jail is 192.168.1.100 then they can start with 10000 as a =20 UID and go up to 10100. Additionally, the host should ideally have no users but the bare =20 minimum for the admin. All the "host"-based users and services =20 should ideally be in their own jail. And if you can use a common base jail install mounted read only =20 inside each jail, you will greatly increase security of the jails as =20 exploits that replace system binaries will fail. gruss aus utah Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net