Date: Mon, 23 Oct 2017 08:34:47 -0500 From: Benjamin Kaduk <bjkfbsd@gmail.com> To: Steve Wills <swills@freebsd.org> Cc: Allan Jude <allanjude@freebsd.org>, Steven Hartland <steven.hartland@multiplay.co.uk>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r318751 - in head/sys: kern sys Message-ID: <CAJ5_RoBjLf7gkjFg0BTw2unpoWoa5QanUY79Z_OGvMYyY-P8Cg@mail.gmail.com> In-Reply-To: <92f4d6a9-6fc7-5fbd-7fce-8584c090526d@FreeBSD.org> References: <201705231659.v4NGxOB8013882@repo.freebsd.org> <c156a912-6305-4cc4-261c-5545742d9801@freebsd.org> <CAHEMsqZr4heWmJ2R-v=ct4dAvmj6rveZ4=5wNaaMz_=%2BKNNnOQ@mail.gmail.com> <96e0c0bc-eb9c-2ffa-9216-88678d0e8730@freebsd.org> <92f4d6a9-6fc7-5fbd-7fce-8584c090526d@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 23, 2017 at 8:31 AM, Steve Wills <swills@freebsd.org> wrote: > > Note too that security.bsd.see_jail_proc is partially a work around for > the fact that security.bsd.see_other_* doesn't work as you might expect. > It's literally the UID/GID, rather than the username, so > security.bsd.see_other_* has no idea that the users in the jail are not the > same users on the host, which is unexpected and counter-intuitive at best > and dangerous at worst. (Even if that were changed, > security.bsd.see_jail_proc is still useful for the potential scenario where > you don't want/need to set security.bsd.see_other_* but don't want users to > see processes in jails.) security.bsd.see_other_* cannot do anything *but* UID/GID -- note that it is supported to have multiple user entries on a single system that share a UID, and the username used to log in is not tracked by the kernel. (E.g., root and toor.) -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ5_RoBjLf7gkjFg0BTw2unpoWoa5QanUY79Z_OGvMYyY-P8Cg>