From owner-freebsd-stable@FreeBSD.ORG Tue Sep 30 09:42:10 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A12C1065687 for ; Tue, 30 Sep 2008 09:42:10 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 2623D8FC1E for ; Tue, 30 Sep 2008 09:42:10 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTP id AF6AA46B8C; Tue, 30 Sep 2008 05:42:09 -0400 (EDT) Date: Tue, 30 Sep 2008 10:42:09 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: George Mamalakis In-Reply-To: <48E1EBE1.50206@eng.auth.gr> Message-ID: References: <48E1EBE1.50206@eng.auth.gr> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable@freebsd.org Subject: Re: jails and mac_seeotheruids problems in 6-STABLE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 09:42:10 -0000 On Tue, 30 Sep 2008, George Mamalakis wrote: > I have 3 servers in my lab. 2 of them are running 6-STABLE and one of them > is running 7-STABLE. All three have services running in jails. I noticed a > very peculiar behavior in 6-STABLE when I set the sysctl > security.mac.seeotheruids.enabled=1. The root user in my jails was not able > to see processes and sockets owned by other users of the same jail, whereas > the root user of the host system could see every process (thank the > Almighty). The same behavior does not apply on the server running 7-STABLE. > > In one sense it is more secure, since the root user in a jail is not as > "strong" as the root user should be in a UNIX system. On the other hand, the > root user looses its purpose of existence, which I suppose is a bug. > > Below are the security.mac sysctl settings of both 6 and 7-STABLE: Could you try modifying src/sys/security/mac_seeotheruids/mac_seeotheruids.c in a 6.x tree so that the call to suser_cred() in mac_seeotheruids_check() passes the SUSER_ALLOWJAIL flag rather than 0? This may correct the problem you're experiencing. Let me know and I can merge that change to 6.x. Robert N M Watson Computer Laboratory University of Cambridge > > 6-STABLE: > > security.mac.max_slots: 4 > security.mac.enforce_network: 1 > security.mac.enforce_pipe: 1 > security.mac.enforce_posix_sem: 1 > security.mac.enforce_suid: 1 > security.mac.mmap_revocation_via_cow: 0 > security.mac.mmap_revocation: 1 > security.mac.enforce_vm: 1 > security.mac.enforce_process: 1 > security.mac.enforce_socket: 1 > security.mac.enforce_system: 1 > security.mac.enforce_kld: 1 > security.mac.enforce_sysv_msg: 1 > security.mac.enforce_sysv_sem: 1 > security.mac.enforce_sysv_shm: 1 > security.mac.enforce_fs: 1 > security.mac.seeotheruids.specificgid: 0 > security.mac.seeotheruids.specificgid_enabled: 0 > security.mac.seeotheruids.primarygroup_enabled: 0 > security.mac.seeotheruids.enabled: 1 > security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443 > security.mac.portacl.port_high: 1023 > security.mac.portacl.autoport_exempt: 1 > security.mac.portacl.suser_exempt: 1 > security.mac.portacl.enabled: 1 > > > 7-STABLE: > > security.mac.max_slots: 4 > security.mac.version: 3 > security.mac.mmap_revocation_via_cow: 0 > security.mac.mmap_revocation: 1 > security.mac.seeotheruids.specificgid: 0 > security.mac.seeotheruids.specificgid_enabled: 0 > security.mac.seeotheruids.suser_privileged: 1 > security.mac.seeotheruids.primarygroup_enabled: 0 > security.mac.seeotheruids.enabled: 1 > > I would be very glad if someone could inform me whether I am doing something > wrong; if not I think I should inform FreeBSD about this bug. > > Thank you guys in advance, > > -- > George Mamalakis > > IT Officer > Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), > MSc (Imperial College of London) > > Department of Electrical and Computer Engineering > Faculty of Engineering > Aristotle University of Thessaloniki > > phone number : +30 (2310) 994379 > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >