From owner-freebsd-hackers@FreeBSD.ORG  Mon May 29 14:39:03 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 53A6116B06F
	for <freebsd-hackers@freebsd.org>; Mon, 29 May 2006 14:39:03 +0000 (UTC)
	(envelope-from anatoli@aksoft.net)
Received: from 26th.net (26th.net [217.79.183.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F39FC43D4C
	for <freebsd-hackers@freebsd.org>; Mon, 29 May 2006 14:39:00 +0000 (GMT)
	(envelope-from anatoli@aksoft.net)
Received: from [192.168.0.26] (t54fc42f6.pool.terralink.de [84.252.66.246])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by 26th.net (Postfix) with ESMTP id 20F4620B479;
	Mon, 29 May 2006 16:38:58 +0200 (CEST)
Message-ID: <447B076E.1080503@aksoft.net>
Date: Mon, 29 May 2006 16:38:38 +0200
From: Anatoli Klassen <anatoli@aksoft.net>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: David Malone <dwmalone@maths.tcd.ie>
References: <4479A99E.8080708@aksoft.net>
	<20060528152510.GA39279@walton.maths.tcd.ie>
In-Reply-To: <20060528152510.GA39279@walton.maths.tcd.ie>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-hackers@freebsd.org
Subject: Re: security.bsd.see_other_uids for jails
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 May 2006 14:39:04 -0000

David Malone wrote:
> On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:
>> if security.bsd.see_other_uids is set to 0, users from the main system 
>> can still see processes from jails if they have (by accident) the save uid.
>>
>> For me it's wrong behavior because the main system and the jail are two 
>> different systems where uids are independent.
> 
> You could try the following (untested) patch to the MAC seeotheruid
> module. You'd need to compile a kernel with the MAC option and then:
> 

Thanks for the patch, maybe I'll need something like that for my 
environment.

But my question is if it's really intended that jail is not real virtual 
system but just a way to limit interaction from jail to host and not 
vice versa.

If it's the case than this has to be specified in jail(8).

Regards,
Anatoli