From owner-freebsd-security  Sun Jun 25 22:55:29 2000
Delivered-To: freebsd-security@freebsd.org
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
	by hub.freebsd.org (Postfix) with ESMTP id F250637B916
	for <security@FreeBSD.ORG>; Sun, 25 Jun 2000 22:55:20 -0700 (PDT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id HAA15312;
	Mon, 26 Jun 2000 07:54:54 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
To: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Cc: security@FreeBSD.ORG
Subject: Re: jail(8) Honeypots 
In-reply-to: Your message of "Sun, 25 Jun 2000 22:35:49 +0200."
             <20000625223549.I9883@speedy.gsinet> 
Date: Mon, 26 Jun 2000 07:54:54 +0200
Message-ID: <15310.961998894@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <20000625223549.I9883@speedy.gsinet>, Gerhard Sittig writes:
>On Sun, Jun 25, 2000 at 20:13 +0200, Poul-Henning Kamp wrote:
>> 
>> Jails(8) are probably the currently safest way to do it, but
>> not the most "authentic" looking way.  Finding out that you're
>> in a jail is trivial and I pressume that it will become common
>> knowledge for script-kiddies RSN.
>
>Besides the /proc/$PID/status field and the 'J' in ps' status
>field - which I feel to be cosmetic or for plain information and
>not really the final word - what else criteria would be there to
>check?  I can't think of any -- at least not a reliable one. 

Bind a socket at 127.0.0.1 and notice with getsockname() that it
isn't.

Ping doesn't work.

I belive "kill -0 1" will also tell you.

>This leads to the question:  Was the intent behind the jail(2)
>mechanism to isolate a process group or was it to fake a machine?
>I guess it was the former, but could be turned into the latter.
>And I'm sure you will tell me if I'm wrong. :)

The former, and significant amounts of code will have to be written
to make it the latter.

--
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD coreteam member | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message