From owner-freebsd-stable@freebsd.org  Tue Nov 19 21:04:24 2019
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B5AB51BDE6A
 for <freebsd-stable@mailman.nyi.freebsd.org>;
 Tue, 19 Nov 2019 21:04:24 +0000 (UTC)
 (envelope-from dewaynegeraghty@gmail.com)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com
 [IPv6:2a00:1450:4864:20::431])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47Hdc76clmz3RFN
 for <freebsd-stable@freebsd.org>; Tue, 19 Nov 2019 21:04:23 +0000 (UTC)
 (envelope-from dewaynegeraghty@gmail.com)
Received: by mail-wr1-x431.google.com with SMTP id i12so25603214wro.5
 for <freebsd-stable@freebsd.org>; Tue, 19 Nov 2019 13:04:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=8CMwH0s1RFku6hM9DF/bhzCuN56AcrZZK8cneXqD+/c=;
 b=WzX5uPbVLCRw2fDPqQGV6blFnOMKmQ7mrcczVeptrZtvGUFVDHFuO+rkGxIk9uKJH8
 f6bvmMejW16TNovvlLawzQLdZGKHi8+scrPZbLdQdXzMsN+sBo2lectuChF8Z1cHiRco
 9rmXKxckdpoY1Hsur0KIYoVtt0cknrSRUuCJC//hvrCN5931PavlQ3pMwuMxu6/8WQQl
 R2mA7/2ARq/R8g/cqrsZT0i0SFkpcrNuAFbYqTlq67KuSzRdPZnjoXZlMf4XDxeGLlkB
 XWqF1S8u75sdaoQuVSIRg3RgZqPn8Dn148bm6ga2oKbNUFHu8Ny9V+CS5l0q9GolKdT7
 Pkaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=8CMwH0s1RFku6hM9DF/bhzCuN56AcrZZK8cneXqD+/c=;
 b=ZkrK3kbuvngvaZCZB9gkEvUQcp3QSh7F866xyAqaZyVdbmFjNSqKiVRaPLF/Q5dSaD
 kOYxqyVWur0bDvb2t+dDYCInsOXDUS52+yTEOnNoVMO/1nG3RtyVBSYP9q2DijLHX3mx
 43Tjq613hQJKEPsVipE8dFtvHqSKTfISd5fUM2SVRna3pzBGgfGwum6f4ayTjs4AsxBS
 YWajWnR16QnplIgcIq6c5HogeNtQffN0HiXr15Hfr1A7pofWVjoJgqsp8G2glUEQOsae
 9zjtbiHKi6wx7kyEogLjS9uVUz2scptvnf+b6eqdOoL4Xnabh7ODejKdVt5EmpY+50e5
 aHCQ==
X-Gm-Message-State: APjAAAX7tGk8I2AGFeiD0bRZ4l1EAyG7HfhJREnmH3NVrstH//oNyEPw
 EOQGRM78Z+OoUY+W2k+3jKyy4zamqpD6RJRnfEo=
X-Google-Smtp-Source: APXvYqzuv1tsnDMFvKeFyfYseVk0UeveA/IXx7KC3OCwl7Cip64i/efVQp7vt9v69oGUt415Pop2DKiiPcayLTewnMU=
X-Received: by 2002:adf:eecc:: with SMTP id a12mr37858266wrp.363.1574197461561; 
 Tue, 19 Nov 2019 13:04:21 -0800 (PST)
MIME-Version: 1.0
References: <1237616943.9.1574163726832@localhost>
 <a572c2ec-52b6-0999-9106-75051cfc9821@sentex.net>
 <F75AA78E-EC55-49F8-9CEA-AB6C6F0BD742@cretaforce.gr>
 <06464ab7-abc4-9ee4-a27e-9e4591eebc83@quip.cz>
In-Reply-To: <06464ab7-abc4-9ee4-a27e-9e4591eebc83@quip.cz>
From: Dewayne Geraghty <dewaynegeraghty@gmail.com>
Date: Wed, 20 Nov 2019 08:03:54 +1100
Message-ID: <CAGnMC6o+ffV5QfLYpFZqyJhj1oca2092J7oNLqdpGXgHouVpDA@mail.gmail.com>
Subject: Re: jexec as user?
To: Ronald Klop <ronald-lists@klop.ws>
Cc: freebsd-stable <freebsd-stable@freebsd.org>
X-Rspamd-Queue-Id: 47Hdc76clmz3RFN
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=WzX5uPbV;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of dewaynegeraghty@gmail.com designates
 2a00:1450:4864:20::431 as permitted sender)
 smtp.mailfrom=dewaynegeraghty@gmail.com
X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025];
 IP_SCORE(0.00)[ip: (-9.02), ipnet: 2a00:1450::/32(-2.72), asn: 15169(-1.97),
 country: US(-0.05)]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c];
 FREEMAIL_FROM(0.00)[gmail.com];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[1.3.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org
 : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 SUBJECT_ENDS_QUESTION(1.00)[]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 21:04:24 -0000

Good question Ronald.

A test - I can login to jail (b3) where I run apache as www user, so
# jexec -U www b3 /bin/tcsh
> whoami; id
www
uid=80(www) gid=80(www) groups=80(www)
Expected - good!

and I can, in the host
# su -m www -c "whoami; id"
www
uid=80(www) gid=80(www) groups=80(www)
Good - so my user exists in both host and jail. Though for your purposes
the host user could be anyone.

So we've demonstrated that I have an unpriv'ed user in both the host and
jailed context.  But....
# /usr/bin/su -m www -c "jexec -U www b3 /usr/bin/whoami"
jexec: initgroups: www: Operation not permitted

So unless I/we can identify the cause of this, you're stuck  Which
surprised me, as I typically run stuff in my jails using commands from the
host, like:
/usr/sbin/jexec -U www b3 /usr/local/sbin/httpd -f
/usr/local/etc/apache24/httpd.conf

Now to part 2 of your question.  I do run sshd quite happily in the jails,
so that may be an option for you.  (actually I use dropbear in situations
where I don't required the proper audit logs and its approx 50% of the sshd
resources ;))