From owner-svn-src-head@freebsd.org  Mon Oct 23 15:15:34 2017
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28F0CE4DFF1;
 Mon, 23 Oct 2017 15:15:34 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C3C2973D67;
 Mon, 23 Oct 2017 15:15:33 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from tom.home (kib@localhost [127.0.0.1])
 by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id v9NFFSa8079330
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Mon, 23 Oct 2017 18:15:28 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua v9NFFSa8079330
Received: (from kostik@localhost)
 by tom.home (8.15.2/8.15.2/Submit) id v9NFFRPc079321;
 Mon, 23 Oct 2017 18:15:27 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Mon, 23 Oct 2017 18:15:27 +0300
From: Konstantin Belousov <kostikbel@gmail.com>
To: Steve Wills <swills@FreeBSD.org>
Cc: Allan Jude <allanjude@freebsd.org>,
 Steven Hartland <steven.hartland@multiplay.co.uk>,
 src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: Re: svn commit: r318751 - in head/sys: kern sys
Message-ID: <20171023151527.GO2473@kib.kiev.ua>
References: <201705231659.v4NGxOB8013882@repo.freebsd.org>
 <c156a912-6305-4cc4-261c-5545742d9801@freebsd.org>
 <CAHEMsqZr4heWmJ2R-v=ct4dAvmj6rveZ4=5wNaaMz_=+KNNnOQ@mail.gmail.com>
 <96e0c0bc-eb9c-2ffa-9216-88678d0e8730@freebsd.org>
 <92f4d6a9-6fc7-5fbd-7fce-8584c090526d@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <92f4d6a9-6fc7-5fbd-7fce-8584c090526d@FreeBSD.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no
 autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 15:15:34 -0000

On Mon, Oct 23, 2017 at 09:31:42AM -0400, Steve Wills wrote:
> Hi,
> 
> On 10/21/2017 18:55, Allan Jude wrote:
> > On 2017-10-21 18:45, Steven Hartland wrote:
> >> Personally I hate that idea as like being able to see all the processes
> >> from the host.
> >>
> >> I have a similar hate of Linux containers where you have to jump though
> >> hoops just to see whats really happening on the host.
> >>
> >> On Sat, 21 Oct 2017 at 20:29, Allan Jude <allanjude@freebsd.org
> > 
> > Note: this does NOT change root's ability to see the processes in the jail.
> > 
> > I just stops uid 1001 on the host, from using the processes owned by uid
> > 1001 in each jail, even in the presence of: security.bsd.see_other_uids=0
> > 
> > 
> 
> I think we'd be doing our users a service by enabling this by default 
> and avoiding the potential foot-shooting. I'd even be happy if we set 
No, you propose to do exactly the reverse, by making it impossible to
properly observe the global system state.  E.g. the administrator on
host, that is, the machine owner, would be impossible to see processes
which eat system resources and jailed.

> the other security.bsd.see_other_* to 0 by default. Or at least change 
> the installer to default that way (if it doesn't already? I'm not sure).
And this is plain stupid.  The only config where see_other_uids might
be not completely detrimental is probably only public-access shell boxes,
and even there the harm from it probably outweight the obscurity it
provides.

> 
> Personally, I'm going to do that locally anyway so if we don't do those 
> things, I won't be upset, but saddened for our users sake.
Personally, I will have to revert this on all my computers if this ever
gets in.

> 
> Note too that security.bsd.see_jail_proc is partially a work around for 
> the fact that security.bsd.see_other_* doesn't work as you might expect. 
It work exactly as I expect.

> It's literally the UID/GID, rather than the username, so 
> security.bsd.see_other_* has no idea that the users in the jail are not 
> the same users on the host, which is unexpected and counter-intuitive at 
> best and dangerous at worst. (Even if that were changed, 
> security.bsd.see_jail_proc is still useful for the potential scenario 
> where you don't want/need to set security.bsd.see_other_* but don't want 
> users to see processes in jails.)