Date: Mon, 6 Feb 2006 14:28:58 -0700 From: "Chad Leigh -- Shire.Net LLC" <chad@shire.net> To: Julian Elischer <julian@elischer.org> Cc: current@freebsd.org Subject: Re: unprivileged users are able to kill certain jailed processes Message-ID: <84F45680-A22F-4EFD-AC36-5634C9990938@shire.net> In-Reply-To: <43E7BE80.4040706@elischer.org> References: <43E60708.9000902@cs.tu-berlin.de> <43E7494B.9040401@freebsd.org> <43E7B1A7.8010501@cs.tu-berlin.de> <778A6B9C-DADC-45AE-A5C8-DEFC2D2C41D4@shire.net> <43E7BE80.4040706@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 6, 2006, at 2:24 PM, Julian Elischer wrote: > Chad Leigh -- Shire.Net LLC wrote: > >> >> On Feb 6, 2006, at 1:29 PM, Bj=F6rn K=F6nig wrote: >> >>> Andre Oppermann schrieb: >>> >>>> [...] If you have normal users on the host and >>>> have jails under the same user id then, yea, tough luck. You're =20= >>>> not >>>> supposed to do that. [...] >>> >>> >>> Yes, I can prevent from overlapping UIDs, but how to prevent =20 >>> from that if host administrator and jail administrator are two =20 >>> independent parties? It requires much more carefulness and =20 >>> precautions. >> >> >> Well, the host admin, when detailing services and responsibilities =20= >> to the jail admin (I have a similar situation), can tell the jail =20= >> admin which range of UIDs to use for new users. I typically use =20 >> the last byte of the IP address * 100 as the base. >> >> Eg, say a jail is 192.168.1.100 then they can start with 10000 as =20 >> a UID and go up to 10100. >> >> Additionally, the host should ideally have no users but the bare =20 >> minimum for the admin. All the "host"-based users and services =20 >> should ideally be in their own jail. > > > Genrally at Vicor, we had a rule that either all users were in =20 > jails, or none were.. > A Jail server wasn't considered part of the resources available to =20 > users, only the jails themselves. Exactly. Our jail servers have a login account only for those admin =20 personnel who need to admin the server itself. It is ONLY accessible =20= through certificate protected ssh (no passwords allowed) and no =20 services run on the jail server itself, only services in jails, so =20 the only open port on the jail server itself is the sshd one... Best Chad > > >> >> And if you can use a common base jail install mounted read only =20 >> inside each jail, you will greatly increase security of the jails =20 >> as exploits that replace system binaries will fail. >> >> gruss aus utah >> Chad >> >> >> --- >> Chad Leigh -- Shire.Net LLC >> Your Web App and Email hosting provider >> chad at shire.net >> >> >> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-=20 >> unsubscribe@freebsd.org" > --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84F45680-A22F-4EFD-AC36-5634C9990938>