Date: Mon, 29 May 2006 16:38:38 +0200 From: Anatoli Klassen <anatoli@aksoft.net> To: David Malone <dwmalone@maths.tcd.ie> Cc: freebsd-hackers@freebsd.org Subject: Re: security.bsd.see_other_uids for jails Message-ID: <447B076E.1080503@aksoft.net> In-Reply-To: <20060528152510.GA39279@walton.maths.tcd.ie> References: <4479A99E.8080708@aksoft.net> <20060528152510.GA39279@walton.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
David Malone wrote: > On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote: >> if security.bsd.see_other_uids is set to 0, users from the main system >> can still see processes from jails if they have (by accident) the save uid. >> >> For me it's wrong behavior because the main system and the jail are two >> different systems where uids are independent. > > You could try the following (untested) patch to the MAC seeotheruid > module. You'd need to compile a kernel with the MAC option and then: > Thanks for the patch, maybe I'll need something like that for my environment. But my question is if it's really intended that jail is not real virtual system but just a way to limit interaction from jail to host and not vice versa. If it's the case than this has to be specified in jail(8). Regards, Anatoli
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?447B076E.1080503>