Date: Wed, 20 Nov 2019 08:03:54 +1100 From: Dewayne Geraghty <dewaynegeraghty@gmail.com> To: Ronald Klop <ronald-lists@klop.ws> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: jexec as user? Message-ID: <CAGnMC6o%2BffV5QfLYpFZqyJhj1oca2092J7oNLqdpGXgHouVpDA@mail.gmail.com> In-Reply-To: <06464ab7-abc4-9ee4-a27e-9e4591eebc83@quip.cz> References: <1237616943.9.1574163726832@localhost> <a572c2ec-52b6-0999-9106-75051cfc9821@sentex.net> <F75AA78E-EC55-49F8-9CEA-AB6C6F0BD742@cretaforce.gr> <06464ab7-abc4-9ee4-a27e-9e4591eebc83@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Good question Ronald. A test - I can login to jail (b3) where I run apache as www user, so # jexec -U www b3 /bin/tcsh > whoami; id www uid=80(www) gid=80(www) groups=80(www) Expected - good! and I can, in the host # su -m www -c "whoami; id" www uid=80(www) gid=80(www) groups=80(www) Good - so my user exists in both host and jail. Though for your purposes the host user could be anyone. So we've demonstrated that I have an unpriv'ed user in both the host and jailed context. But.... # /usr/bin/su -m www -c "jexec -U www b3 /usr/bin/whoami" jexec: initgroups: www: Operation not permitted So unless I/we can identify the cause of this, you're stuck Which surprised me, as I typically run stuff in my jails using commands from the host, like: /usr/sbin/jexec -U www b3 /usr/local/sbin/httpd -f /usr/local/etc/apache24/httpd.conf Now to part 2 of your question. I do run sshd quite happily in the jails, so that may be an option for you. (actually I use dropbear in situations where I don't required the proper audit logs and its approx 50% of the sshd resources ;))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGnMC6o%2BffV5QfLYpFZqyJhj1oca2092J7oNLqdpGXgHouVpDA>