From owner-freebsd-security Tue Sep 10 7:25:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C50F37B400 for ; Tue, 10 Sep 2002 07:25:46 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id BC66943E42 for ; Tue, 10 Sep 2002 07:25:44 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 12609 invoked by uid 1017); 10 Sep 2002 14:25:42 -0000 Date: Tue, 10 Sep 2002 16:25:42 +0200 From: Nomad To: freebsd-security@freebsd.org Subject: Re: jail() House Rock Message-ID: <20020910142542.GA12567@killer.crypton.pl> References: <20020909102116.M8908-100000@lorax.ubergeeks.com> <20020909084601.K27444-100000@Amber.XtremeDev.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <20020909084601.K27444-100000@Amber.XtremeDev.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, you are wrong and I have to correct you. To read a file in way you described user has to have x permission to all subdirectories and x permission to executable file. We assume, that you have x permission to executable, but for root directory of jail you don't. On Mon, Sep 09, 2002 at 08:49:34AM -0600, bsd@xtremedev.com wrote: > > A reasonable solution is to block access to the jailed filesystems > > from non-jailed accounts. Just do the following: > > > > install -m u=rwx,go= -d /usr/fence > > install -d /usr/fence/jail > > > > Then use the fenced off directory as your jail root. We are > > successfully running desktops with multiple developer jails in this sort of > > configuration and things work great. This exclued anyone but root from > > using suid binaries from a jail, and well, root's already root. > > Er, I don't believe this solves the issue. If the user knows the full path > from the host system to the suid binary s/he created in the jail, s/he can > access it directly as a regular use in the host environment. Ie., typing > in: > > /usr/fence/jail/usr/home/baduser/bin/rootshell > > Please correct me if I'm wrong or if I've misunderstood. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message