Date: Tue, 30 Sep 2008 10:42:09 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: George Mamalakis <mamalos@eng.auth.gr> Cc: freebsd-stable@freebsd.org Subject: Re: jails and mac_seeotheruids problems in 6-STABLE Message-ID: <alpine.BSF.1.10.0809301040490.71734@fledge.watson.org> In-Reply-To: <48E1EBE1.50206@eng.auth.gr> References: <48E1EBE1.50206@eng.auth.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 30 Sep 2008, George Mamalakis wrote: > I have 3 servers in my lab. 2 of them are running 6-STABLE and one of them > is running 7-STABLE. All three have services running in jails. I noticed a > very peculiar behavior in 6-STABLE when I set the sysctl > security.mac.seeotheruids.enabled=1. The root user in my jails was not able > to see processes and sockets owned by other users of the same jail, whereas > the root user of the host system could see every process (thank the > Almighty). The same behavior does not apply on the server running 7-STABLE. > > In one sense it is more secure, since the root user in a jail is not as > "strong" as the root user should be in a UNIX system. On the other hand, the > root user looses its purpose of existence, which I suppose is a bug. > > Below are the security.mac sysctl settings of both 6 and 7-STABLE: Could you try modifying src/sys/security/mac_seeotheruids/mac_seeotheruids.c in a 6.x tree so that the call to suser_cred() in mac_seeotheruids_check() passes the SUSER_ALLOWJAIL flag rather than 0? This may correct the problem you're experiencing. Let me know and I can merge that change to 6.x. Robert N M Watson Computer Laboratory University of Cambridge > > 6-STABLE: > > security.mac.max_slots: 4 > security.mac.enforce_network: 1 > security.mac.enforce_pipe: 1 > security.mac.enforce_posix_sem: 1 > security.mac.enforce_suid: 1 > security.mac.mmap_revocation_via_cow: 0 > security.mac.mmap_revocation: 1 > security.mac.enforce_vm: 1 > security.mac.enforce_process: 1 > security.mac.enforce_socket: 1 > security.mac.enforce_system: 1 > security.mac.enforce_kld: 1 > security.mac.enforce_sysv_msg: 1 > security.mac.enforce_sysv_sem: 1 > security.mac.enforce_sysv_shm: 1 > security.mac.enforce_fs: 1 > security.mac.seeotheruids.specificgid: 0 > security.mac.seeotheruids.specificgid_enabled: 0 > security.mac.seeotheruids.primarygroup_enabled: 0 > security.mac.seeotheruids.enabled: 1 > security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443 > security.mac.portacl.port_high: 1023 > security.mac.portacl.autoport_exempt: 1 > security.mac.portacl.suser_exempt: 1 > security.mac.portacl.enabled: 1 > > > 7-STABLE: > > security.mac.max_slots: 4 > security.mac.version: 3 > security.mac.mmap_revocation_via_cow: 0 > security.mac.mmap_revocation: 1 > security.mac.seeotheruids.specificgid: 0 > security.mac.seeotheruids.specificgid_enabled: 0 > security.mac.seeotheruids.suser_privileged: 1 > security.mac.seeotheruids.primarygroup_enabled: 0 > security.mac.seeotheruids.enabled: 1 > > I would be very glad if someone could inform me whether I am doing something > wrong; if not I think I should inform FreeBSD about this bug. > > Thank you guys in advance, > > -- > George Mamalakis > > IT Officer > Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), > MSc (Imperial College of London) > > Department of Electrical and Computer Engineering > Faculty of Engineering > Aristotle University of Thessaloniki > > phone number : +30 (2310) 994379 > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.1.10.0809301040490.71734>