From owner-freebsd-current@FreeBSD.ORG Mon Feb 6 21:24:18 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B65C16A420 for ; Mon, 6 Feb 2006 21:24:18 +0000 (GMT) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C0C343D46 for ; Mon, 6 Feb 2006 21:24:16 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229]) by a50.ironport.com with ESMTP; 06 Feb 2006 13:24:15 -0800 Message-ID: <43E7BE80.4040706@elischer.org> Date: Mon, 06 Feb 2006 13:24:16 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.11) Gecko/20050727 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Chad Leigh -- Shire.Net LLC" References: <43E60708.9000902@cs.tu-berlin.de> <43E7494B.9040401@freebsd.org> <43E7B1A7.8010501@cs.tu-berlin.de> <778A6B9C-DADC-45AE-A5C8-DEFC2D2C41D4@shire.net> In-Reply-To: <778A6B9C-DADC-45AE-A5C8-DEFC2D2C41D4@shire.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: current@freebsd.org Subject: Re: unprivileged users are able to kill certain jailed processes X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2006 21:24:18 -0000 Chad Leigh -- Shire.Net LLC wrote: > > On Feb 6, 2006, at 1:29 PM, Björn König wrote: > >> Andre Oppermann schrieb: >> >>> [...] If you have normal users on the host and >>> have jails under the same user id then, yea, tough luck. You're not >>> supposed to do that. [...] >> >> >> Yes, I can prevent from overlapping UIDs, but how to prevent from >> that if host administrator and jail administrator are two >> independent parties? It requires much more carefulness and precautions. > > > Well, the host admin, when detailing services and responsibilities to > the jail admin (I have a similar situation), can tell the jail admin > which range of UIDs to use for new users. I typically use the last > byte of the IP address * 100 as the base. > > Eg, say a jail is 192.168.1.100 then they can start with 10000 as a > UID and go up to 10100. > > Additionally, the host should ideally have no users but the bare > minimum for the admin. All the "host"-based users and services > should ideally be in their own jail. Genrally at Vicor, we had a rule that either all users were in jails, or none were.. A Jail server wasn't considered part of the resources available to users, only the jails themselves. > > And if you can use a common base jail install mounted read only > inside each jail, you will greatly increase security of the jails as > exploits that replace system binaries will fail. > > gruss aus utah > Chad > > > --- > Chad Leigh -- Shire.Net LLC > Your Web App and Email hosting provider > chad at shire.net > > > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org"