From owner-freebsd-current@FreeBSD.ORG Mon Feb 6 21:29:00 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14E1B16A420 for ; Mon, 6 Feb 2006 21:29:00 +0000 (GMT) (envelope-from chad@shire.net) Received: from hobbiton.shire.net (mail.shire.net [166.70.252.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DBF443D5C for ; Mon, 6 Feb 2006 21:28:59 +0000 (GMT) (envelope-from chad@shire.net) Received: from [67.161.222.227] (helo=[192.168.99.68]) by hobbiton.shire.net with esmtpa (Exim 4.51) id 1F6Dus-0007QZ-Ea; Mon, 06 Feb 2006 14:28:58 -0700 In-Reply-To: <43E7BE80.4040706@elischer.org> References: <43E60708.9000902@cs.tu-berlin.de> <43E7494B.9040401@freebsd.org> <43E7B1A7.8010501@cs.tu-berlin.de> <778A6B9C-DADC-45AE-A5C8-DEFC2D2C41D4@shire.net> <43E7BE80.4040706@elischer.org> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <84F45680-A22F-4EFD-AC36-5634C9990938@shire.net> Content-Transfer-Encoding: quoted-printable From: "Chad Leigh -- Shire.Net LLC" Date: Mon, 6 Feb 2006 14:28:58 -0700 To: Julian Elischer X-Mailer: Apple Mail (2.746.2) X-SA-Exim-Connect-IP: 67.161.222.227 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on hobbiton.shire.net); SAEximRunCond expanded to false Cc: current@freebsd.org Subject: Re: unprivileged users are able to kill certain jailed processes X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2006 21:29:00 -0000 On Feb 6, 2006, at 2:24 PM, Julian Elischer wrote: > Chad Leigh -- Shire.Net LLC wrote: > >> >> On Feb 6, 2006, at 1:29 PM, Bj=F6rn K=F6nig wrote: >> >>> Andre Oppermann schrieb: >>> >>>> [...] If you have normal users on the host and >>>> have jails under the same user id then, yea, tough luck. You're =20= >>>> not >>>> supposed to do that. [...] >>> >>> >>> Yes, I can prevent from overlapping UIDs, but how to prevent =20 >>> from that if host administrator and jail administrator are two =20 >>> independent parties? It requires much more carefulness and =20 >>> precautions. >> >> >> Well, the host admin, when detailing services and responsibilities =20= >> to the jail admin (I have a similar situation), can tell the jail =20= >> admin which range of UIDs to use for new users. I typically use =20 >> the last byte of the IP address * 100 as the base. >> >> Eg, say a jail is 192.168.1.100 then they can start with 10000 as =20 >> a UID and go up to 10100. >> >> Additionally, the host should ideally have no users but the bare =20 >> minimum for the admin. All the "host"-based users and services =20 >> should ideally be in their own jail. > > > Genrally at Vicor, we had a rule that either all users were in =20 > jails, or none were.. > A Jail server wasn't considered part of the resources available to =20 > users, only the jails themselves. Exactly. Our jail servers have a login account only for those admin =20 personnel who need to admin the server itself. It is ONLY accessible =20= through certificate protected ssh (no passwords allowed) and no =20 services run on the jail server itself, only services in jails, so =20 the only open port on the jail server itself is the sshd one... Best Chad > > >> >> And if you can use a common base jail install mounted read only =20 >> inside each jail, you will greatly increase security of the jails =20 >> as exploits that replace system binaries will fail. >> >> gruss aus utah >> Chad >> >> >> --- >> Chad Leigh -- Shire.Net LLC >> Your Web App and Email hosting provider >> chad at shire.net >> >> >> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-=20 >> unsubscribe@freebsd.org" > --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net