From owner-freebsd-hackers Mon Mar 3 15: 8:34 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8F5837B401 for ; Mon, 3 Mar 2003 15:08:31 -0800 (PST) Received: from mallard.mail.pas.earthlink.net (mallard.mail.pas.earthlink.net [207.217.120.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id 899E243F93 for ; Mon, 3 Mar 2003 15:08:30 -0800 (PST) (envelope-from mooneer@translator.cx) Received: from pool0346.cvx31-bradley.dialup.earthlink.net ([209.179.147.91] helo=morpheus) by mallard.mail.pas.earthlink.net with smtp (Exim 3.33 #1) id 18pz2n-0006wx-00; Mon, 03 Mar 2003 15:08:26 -0800 From: "Mooneer Salem" To: "Pawel Jakub Dawidek" Cc: "FreeBSD Hackers" Subject: RE: Jail seperation patch Date: Mon, 3 Mar 2003 15:08:22 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20030227154351.GQ330@garage.freebsd.pl> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, My test settings are as follows: Host system (pacific.lifeafterking.org): 10.0.0.2, 10.0.0.3, 10.0.0.4 Jail (test.lifeafterking.org): 10.0.0.3, 10.0.0.4 I also made a new patch which fixes these issues: 1. Telnetting to 0.0.0.0 in the jail now redirects to the first jail IP. 2. Non-root users outside a jail cannot access any files inside a jail (sysctl controllable) The patch can be downloaded at http://msalem.translator.cx/dist/jail_seperation.v6.patch. Thanks, -- Mooneer Salem GPLTrans: http://www.translator.cx/ lifeafterking.org: http://www.lifeafterking.org/ -----Original Message----- From: owner-freebsd-hackers@FreeBSD.ORG [mailto:owner-freebsd-hackers@FreeBSD.ORG]On Behalf Of Pawel Jakub Dawidek Sent: Thursday, February 27, 2003 7:44 AM To: Mooneer Salem Cc: FreeBSD Hackers Subject: Re: Jail seperation patch On Thu, Feb 27, 2003 at 07:16:15AM -0800, Mooneer Salem wrote: +> Actually, I just gave it blah.lifeafterking.org in /etc/hosts. 10.0.0.4 +> really *is* in the same jail: +> +> %ifconfig +> lnc0: flags=8843 mtu 1500 +> inet 10.0.0.3 netmask 0xffffffff broadcast 10.0.0.3 +> inet 10.0.0.4 netmask 0xffffffff broadcast 10.0.0.4 +> ether 00:50:56:e0:26:54 +> lo0: flags=8049 mtu 16384 +> %hostname +> test.lifeafterking.org +> % Ehh, so now I know nothing about your test settings. After all problems isn't so trivial. +> As for the hide files code, I found a possible location for it, in +> vfs_subr.c (extattr_check_cred()). I added +> this block to it: [...] IMHO very dirty and not complete. Jail don't have to be chrooted to diferent mount-point, and checks like those should be done between vnodes, not pathnames. In my opinion better way is just create another jail and don't give access to main host for regular users. -- Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message