From owner-freebsd-stable@freebsd.org Tue Nov 19 21:04:24 2019 Return-Path: <owner-freebsd-stable@freebsd.org> Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B5AB51BDE6A for <freebsd-stable@mailman.nyi.freebsd.org>; Tue, 19 Nov 2019 21:04:24 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47Hdc76clmz3RFN for <freebsd-stable@freebsd.org>; Tue, 19 Nov 2019 21:04:23 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: by mail-wr1-x431.google.com with SMTP id i12so25603214wro.5 for <freebsd-stable@freebsd.org>; Tue, 19 Nov 2019 13:04:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8CMwH0s1RFku6hM9DF/bhzCuN56AcrZZK8cneXqD+/c=; b=WzX5uPbVLCRw2fDPqQGV6blFnOMKmQ7mrcczVeptrZtvGUFVDHFuO+rkGxIk9uKJH8 f6bvmMejW16TNovvlLawzQLdZGKHi8+scrPZbLdQdXzMsN+sBo2lectuChF8Z1cHiRco 9rmXKxckdpoY1Hsur0KIYoVtt0cknrSRUuCJC//hvrCN5931PavlQ3pMwuMxu6/8WQQl R2mA7/2ARq/R8g/cqrsZT0i0SFkpcrNuAFbYqTlq67KuSzRdPZnjoXZlMf4XDxeGLlkB XWqF1S8u75sdaoQuVSIRg3RgZqPn8Dn148bm6ga2oKbNUFHu8Ny9V+CS5l0q9GolKdT7 Pkaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8CMwH0s1RFku6hM9DF/bhzCuN56AcrZZK8cneXqD+/c=; b=ZkrK3kbuvngvaZCZB9gkEvUQcp3QSh7F866xyAqaZyVdbmFjNSqKiVRaPLF/Q5dSaD kOYxqyVWur0bDvb2t+dDYCInsOXDUS52+yTEOnNoVMO/1nG3RtyVBSYP9q2DijLHX3mx 43Tjq613hQJKEPsVipE8dFtvHqSKTfISd5fUM2SVRna3pzBGgfGwum6f4ayTjs4AsxBS YWajWnR16QnplIgcIq6c5HogeNtQffN0HiXr15Hfr1A7pofWVjoJgqsp8G2glUEQOsae 9zjtbiHKi6wx7kyEogLjS9uVUz2scptvnf+b6eqdOoL4Xnabh7ODejKdVt5EmpY+50e5 aHCQ== X-Gm-Message-State: APjAAAX7tGk8I2AGFeiD0bRZ4l1EAyG7HfhJREnmH3NVrstH//oNyEPw EOQGRM78Z+OoUY+W2k+3jKyy4zamqpD6RJRnfEo= X-Google-Smtp-Source: APXvYqzuv1tsnDMFvKeFyfYseVk0UeveA/IXx7KC3OCwl7Cip64i/efVQp7vt9v69oGUt415Pop2DKiiPcayLTewnMU= X-Received: by 2002:adf:eecc:: with SMTP id a12mr37858266wrp.363.1574197461561; Tue, 19 Nov 2019 13:04:21 -0800 (PST) MIME-Version: 1.0 References: <1237616943.9.1574163726832@localhost> <a572c2ec-52b6-0999-9106-75051cfc9821@sentex.net> <F75AA78E-EC55-49F8-9CEA-AB6C6F0BD742@cretaforce.gr> <06464ab7-abc4-9ee4-a27e-9e4591eebc83@quip.cz> In-Reply-To: <06464ab7-abc4-9ee4-a27e-9e4591eebc83@quip.cz> From: Dewayne Geraghty <dewaynegeraghty@gmail.com> Date: Wed, 20 Nov 2019 08:03:54 +1100 Message-ID: <CAGnMC6o+ffV5QfLYpFZqyJhj1oca2092J7oNLqdpGXgHouVpDA@mail.gmail.com> Subject: Re: jexec as user? To: Ronald Klop <ronald-lists@klop.ws> Cc: freebsd-stable <freebsd-stable@freebsd.org> X-Rspamd-Queue-Id: 47Hdc76clmz3RFN X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=WzX5uPbV; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of dewaynegeraghty@gmail.com designates 2a00:1450:4864:20::431 as permitted sender) smtp.mailfrom=dewaynegeraghty@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; IP_SCORE(0.00)[ip: (-9.02), ipnet: 2a00:1450::/32(-2.72), asn: 15169(-1.97), country: US(-0.05)]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[1.3.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; SUBJECT_ENDS_QUESTION(1.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/> List-Post: <mailto:freebsd-stable@freebsd.org> List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 19 Nov 2019 21:04:24 -0000 Good question Ronald. A test - I can login to jail (b3) where I run apache as www user, so # jexec -U www b3 /bin/tcsh > whoami; id www uid=80(www) gid=80(www) groups=80(www) Expected - good! and I can, in the host # su -m www -c "whoami; id" www uid=80(www) gid=80(www) groups=80(www) Good - so my user exists in both host and jail. Though for your purposes the host user could be anyone. So we've demonstrated that I have an unpriv'ed user in both the host and jailed context. But.... # /usr/bin/su -m www -c "jexec -U www b3 /usr/bin/whoami" jexec: initgroups: www: Operation not permitted So unless I/we can identify the cause of this, you're stuck Which surprised me, as I typically run stuff in my jails using commands from the host, like: /usr/sbin/jexec -U www b3 /usr/local/sbin/httpd -f /usr/local/etc/apache24/httpd.conf Now to part 2 of your question. I do run sshd quite happily in the jails, so that may be an option for you. (actually I use dropbear in situations where I don't required the proper audit logs and its approx 50% of the sshd resources ;))