From owner-freebsd-hackers Thu Feb 27 7:16:53 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C6D637B401 for ; Thu, 27 Feb 2003 07:16:50 -0800 (PST) Received: from mallard.mail.pas.earthlink.net (mallard.mail.pas.earthlink.net [207.217.120.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F01143FB1 for ; Thu, 27 Feb 2003 07:16:49 -0800 (PST) (envelope-from mooneer@translator.cx) Received: from pool0070.cvx31-bradley.dialup.earthlink.net ([209.179.146.70] helo=morpheus) by mallard.mail.pas.earthlink.net with smtp (Exim 3.33 #1) id 18oPls-000382-00; Thu, 27 Feb 2003 07:16:29 -0800 From: "Mooneer Salem" To: "Pawel Jakub Dawidek" Cc: "FreeBSD Hackers" Subject: RE: Jail seperation patch Date: Thu, 27 Feb 2003 07:16:15 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20030227094242.GJ330@garage.freebsd.pl> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, Actually, I just gave it blah.lifeafterking.org in /etc/hosts. 10.0.0.4 really *is* in the same jail: %ifconfig lnc0: flags=8843 mtu 1500 inet 10.0.0.3 netmask 0xffffffff broadcast 10.0.0.3 inet 10.0.0.4 netmask 0xffffffff broadcast 10.0.0.4 ether 00:50:56:e0:26:54 lo0: flags=8049 mtu 16384 %hostname test.lifeafterking.org % As for the hide files code, I found a possible location for it, in vfs_subr.c (extattr_check_cred()). I added this block to it: /* Check to make sure outside user can actually access jailed files */ if (cred->cr_prison && cred->cr_uid != 0 && jail_hide_files) { LIST_FOREACH(element, &firstjail, pointers) { if (element->pr == cred->cr_prison) { break; } } if (!strncmp(element->chroot_path, vp->v_mount->mnt_stat.f_mntonname, strlen(element->chroot_path)) { return (EPERM); } } This ensures the check is only run if the sysctl variable equals 1. Thanks, -- Mooneer Salem GPLTrans: http://www.translator.cx/ lifeafterking.org: http://www.lifeafterking.org/ -----Original Message----- From: owner-freebsd-hackers@FreeBSD.ORG [mailto:owner-freebsd-hackers@FreeBSD.ORG]On Behalf Of Pawel Jakub Dawidek Sent: Thursday, February 27, 2003 1:43 AM To: Mooneer Salem Cc: FreeBSD Hackers Subject: Re: Jail seperation patch On Wed, Feb 26, 2003 at 02:48:25PM -0800, Mooneer Salem wrote: +> 1. It handles at least case 1 just fine: +> +> %telnet 10.0.0.2 25 +> Trying 10.0.0.2... +> Connected to pacific.lifeafterking.org. [...] +> %telnet 10.0.0.3 25 +> Trying 10.0.0.3... +> Connected to test.lifeafterking.org.. [...] +> %telnet 10.0.0.4 25 +> Trying 10.0.0.4... +> Connected to blah.lifeafterking.org.. Nope, this is incorrect behaviour. INADDR_ANY in jail means: 10.1.1.2 or 10.1.1.3, but not 10.1.1.4. +> 2. Neat. :) I'm going to add sysctls when I get a chance for the mount +> hiding. Also, I'm going to take a look +> at the VFS code and see if I can hide files from non-root non-jailed users. ??? Everything that you can check IMHO is to check every parent directory of opened file if it isn't equal to jail chroot directory. But this is slow and stupid, because there could be many jails with shared chroot directory. +> 3. Does multi-level jailing add any further restrictions to the jails within +> the jails, besides the standard ones +> imposed? Nope, but jail runned in jail can't use IPs that aren't binded to parent jail and securelevels are checked recursively. -- Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message