Date: Mon, 23 Oct 2017 09:31:42 -0400 From: Steve Wills <swills@FreeBSD.org> To: Allan Jude <allanjude@freebsd.org>, Steven Hartland <steven.hartland@multiplay.co.uk>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r318751 - in head/sys: kern sys Message-ID: <92f4d6a9-6fc7-5fbd-7fce-8584c090526d@FreeBSD.org> In-Reply-To: <96e0c0bc-eb9c-2ffa-9216-88678d0e8730@freebsd.org> References: <201705231659.v4NGxOB8013882@repo.freebsd.org> <c156a912-6305-4cc4-261c-5545742d9801@freebsd.org> <CAHEMsqZr4heWmJ2R-v=ct4dAvmj6rveZ4=5wNaaMz_=%2BKNNnOQ@mail.gmail.com> <96e0c0bc-eb9c-2ffa-9216-88678d0e8730@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On 10/21/2017 18:55, Allan Jude wrote: > On 2017-10-21 18:45, Steven Hartland wrote: >> Personally I hate that idea as like being able to see all the processes >> from the host. >> >> I have a similar hate of Linux containers where you have to jump though >> hoops just to see whats really happening on the host. >> >> On Sat, 21 Oct 2017 at 20:29, Allan Jude <allanjude@freebsd.org > > Note: this does NOT change root's ability to see the processes in the jail. > > I just stops uid 1001 on the host, from using the processes owned by uid > 1001 in each jail, even in the presence of: security.bsd.see_other_uids=0 > > I think we'd be doing our users a service by enabling this by default and avoiding the potential foot-shooting. I'd even be happy if we set the other security.bsd.see_other_* to 0 by default. Or at least change the installer to default that way (if it doesn't already? I'm not sure). Personally, I'm going to do that locally anyway so if we don't do those things, I won't be upset, but saddened for our users sake. Note too that security.bsd.see_jail_proc is partially a work around for the fact that security.bsd.see_other_* doesn't work as you might expect. It's literally the UID/GID, rather than the username, so security.bsd.see_other_* has no idea that the users in the jail are not the same users on the host, which is unexpected and counter-intuitive at best and dangerous at worst. (Even if that were changed, security.bsd.see_jail_proc is still useful for the potential scenario where you don't want/need to set security.bsd.see_other_* but don't want users to see processes in jails.) Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?92f4d6a9-6fc7-5fbd-7fce-8584c090526d>