From owner-freebsd-stable@FreeBSD.ORG Tue Sep 30 12:30:24 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7CD91065690 for ; Tue, 30 Sep 2008 12:30:24 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1]) by mx1.freebsd.org (Postfix) with ESMTP id 383128FC1C for ; Tue, 30 Sep 2008 12:30:23 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr [155.207.33.29]) by vergina.eng.auth.gr (8.14.3/8.14.1) with ESMTP id m8UCUNN4049482; Tue, 30 Sep 2008 15:30:23 +0300 (EEST) (envelope-from mamalos@eng.auth.gr) Message-ID: <48E21BD9.1080101@eng.auth.gr> Date: Tue, 30 Sep 2008 15:30:17 +0300 From: George Mamalakis User-Agent: Thunderbird 2.0.0.16 (X11/20080821) MIME-Version: 1.0 To: Robert Watson References: <48E1EBE1.50206@eng.auth.gr> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/8358/Tue Sep 30 14:06:39 2008 on vergina.eng.auth.gr X-Virus-Status: Clean Cc: freebsd-stable@FreeBSD.org Subject: Re: jails and mac_seeotheruids problems in 6-STABLE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 12:30:24 -0000 It works like a charm! Thank you very much for your time and help, regards, Robert Watson wrote: > > On Tue, 30 Sep 2008, George Mamalakis wrote: > >> I have 3 servers in my lab. 2 of them are running 6-STABLE and one of >> them is running 7-STABLE. All three have services running in jails. I >> noticed a very peculiar behavior in 6-STABLE when I set the sysctl >> security.mac.seeotheruids.enabled=1. The root user in my jails was >> not able to see processes and sockets owned by other users of the >> same jail, whereas the root user of the host system could see every >> process (thank the Almighty). The same behavior does not apply on the >> server running 7-STABLE. >> >> In one sense it is more secure, since the root user in a jail is not >> as "strong" as the root user should be in a UNIX system. On the other >> hand, the root user looses its purpose of existence, which I suppose >> is a bug. >> >> Below are the security.mac sysctl settings of both 6 and 7-STABLE: > > Could you try modifying > src/sys/security/mac_seeotheruids/mac_seeotheruids.c in a 6.x tree so > that the call to suser_cred() in mac_seeotheruids_check() passes the > SUSER_ALLOWJAIL flag rather than 0? This may correct the problem > you're experiencing. Let me know and I can merge that change to 6.x. > > Robert N M Watson > Computer Laboratory > University of Cambridge > >> >> 6-STABLE: >> >> security.mac.max_slots: 4 >> security.mac.enforce_network: 1 >> security.mac.enforce_pipe: 1 >> security.mac.enforce_posix_sem: 1 >> security.mac.enforce_suid: 1 >> security.mac.mmap_revocation_via_cow: 0 >> security.mac.mmap_revocation: 1 >> security.mac.enforce_vm: 1 >> security.mac.enforce_process: 1 >> security.mac.enforce_socket: 1 >> security.mac.enforce_system: 1 >> security.mac.enforce_kld: 1 >> security.mac.enforce_sysv_msg: 1 >> security.mac.enforce_sysv_sem: 1 >> security.mac.enforce_sysv_shm: 1 >> security.mac.enforce_fs: 1 >> security.mac.seeotheruids.specificgid: 0 >> security.mac.seeotheruids.specificgid_enabled: 0 >> security.mac.seeotheruids.primarygroup_enabled: 0 >> security.mac.seeotheruids.enabled: 1 >> security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443 >> security.mac.portacl.port_high: 1023 >> security.mac.portacl.autoport_exempt: 1 >> security.mac.portacl.suser_exempt: 1 >> security.mac.portacl.enabled: 1 >> >> >> 7-STABLE: >> >> security.mac.max_slots: 4 >> security.mac.version: 3 >> security.mac.mmap_revocation_via_cow: 0 >> security.mac.mmap_revocation: 1 >> security.mac.seeotheruids.specificgid: 0 >> security.mac.seeotheruids.specificgid_enabled: 0 >> security.mac.seeotheruids.suser_privileged: 1 >> security.mac.seeotheruids.primarygroup_enabled: 0 >> security.mac.seeotheruids.enabled: 1 >> >> I would be very glad if someone could inform me whether I am doing >> something wrong; if not I think I should inform FreeBSD about this bug. >> >> Thank you guys in advance, >> >> -- >> George Mamalakis >> >> IT Officer >> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), >> MSc (Imperial College of London) >> >> Department of Electrical and Computer Engineering >> Faculty of Engineering >> Aristotle University of Thessaloniki >> >> phone number : +30 (2310) 994379 >> >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to >> "freebsd-stable-unsubscribe@freebsd.org" >> -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379