Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 26 Aug 2021 02:09:29 +0100
From:      Jamie Landeg-Jones <jamie@catflap.org>
To:        freebsd-hackers@FreeBSD.org, antranigv@freebsd.am
Subject:   Re: Need advice: Better Jail integration into ps/top, setpwfile gone forever?
Message-ID:  <202108260109.17Q19TR1092883@donotpassgo.dyslexicfish.net>
In-Reply-To: <1B45F065-DC9D-40C9-958F-7D4D64DE8993@freebsd.am>
References:  <1B45F065-DC9D-40C9-958F-7D4D64DE8993@freebsd.am>

next in thread | previous in thread | raw e-mail | index | archive | help
I have no specific answer to your questions, but just a few thoughts:

As a policy, I allocate a uid/gid range to the jails that are unused on the host.
I only do it with user accounts, servers/daemons are left as they are. (though
ideally they would be changed too)

To improve on this, I think a per-jail configurable "uid" and "gid" offset would
seem a good idea, so for instance, if you set jail_uid_increment = 10000 then
anything with uid "0" in the jail would actually be running under uid 10,000 but
the jail would translate the uid/gid on the fly inside the jail. That would help
when the jails are administered by other people who you can't guarantee will follow
your policy.

Having a jail uid/gid being used by a host user/group can cause other problems:

- Any user on the host must be trusted, because they have access to processes
  running under the jail that use their uid.

- Even if you patch ps and top, the issue you cite could come back to bite in the
- future in other ways (How can a non jail-aware program grok this response if a
- username exists in the host and the jail, but with different uid's? (the same
- principle applies to groups too))

Finally, if you do proceed with this, do you think it would be a good idea to
prefix the result with the jail number?

I.E. In your case, something like "1:antranigv"

Just a few thoughts, it will be interesting to see how you progress, as this
was something that bugged me when I was managing jails.

Cheers, Jamie



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108260109.17Q19TR1092883>