Date: Mon, 06 Feb 2006 13:24:16 -0800 From: Julian Elischer <julian@elischer.org> To: "Chad Leigh -- Shire.Net LLC" <chad@shire.net> Cc: current@freebsd.org Subject: Re: unprivileged users are able to kill certain jailed processes Message-ID: <43E7BE80.4040706@elischer.org> In-Reply-To: <778A6B9C-DADC-45AE-A5C8-DEFC2D2C41D4@shire.net> References: <43E60708.9000902@cs.tu-berlin.de> <43E7494B.9040401@freebsd.org> <43E7B1A7.8010501@cs.tu-berlin.de> <778A6B9C-DADC-45AE-A5C8-DEFC2D2C41D4@shire.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Chad Leigh -- Shire.Net LLC wrote: > > On Feb 6, 2006, at 1:29 PM, Björn König wrote: > >> Andre Oppermann schrieb: >> >>> [...] If you have normal users on the host and >>> have jails under the same user id then, yea, tough luck. You're not >>> supposed to do that. [...] >> >> >> Yes, I can prevent from overlapping UIDs, but how to prevent from >> that if host administrator and jail administrator are two >> independent parties? It requires much more carefulness and precautions. > > > Well, the host admin, when detailing services and responsibilities to > the jail admin (I have a similar situation), can tell the jail admin > which range of UIDs to use for new users. I typically use the last > byte of the IP address * 100 as the base. > > Eg, say a jail is 192.168.1.100 then they can start with 10000 as a > UID and go up to 10100. > > Additionally, the host should ideally have no users but the bare > minimum for the admin. All the "host"-based users and services > should ideally be in their own jail. Genrally at Vicor, we had a rule that either all users were in jails, or none were.. A Jail server wasn't considered part of the resources available to users, only the jails themselves. > > And if you can use a common base jail install mounted read only > inside each jail, you will greatly increase security of the jails as > exploits that replace system binaries will fail. > > gruss aus utah > Chad > > > --- > Chad Leigh -- Shire.Net LLC > Your Web App and Email hosting provider > chad at shire.net > > > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43E7BE80.4040706>