Date: Thu, 15 Jan 2009 09:48:59 -0800 From: Snuggles <snuggles@w00ttech.com> To: utisoft@gmail.com Cc: freebsd-security@freebsd.org Subject: Re: Thoughts on jail privilege (FAQ submission) Message-ID: <d189324c0901150948w6cb1734bi10aa22e104e12a5e@mail.gmail.com> In-Reply-To: <b79ecaef0901150909t54acd194t8236ded99fa2150b@mail.gmail.com> References: <b79ecaef0901150909t54acd194t8236ded99fa2150b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The best practice that I've been following is to not offer any services on the host install and do not allow users to login to the host. The only accounts on the host are root, and my admin user. On Thu, Jan 15, 2009 at 9:09 AM, Chris Rees <utisoft@googlemail.com> wrote: > Hey all, > > I think that there should be a warning (on the jail man page or > handbook page perhaps), on setuid in jails. Ex: > > John <-- user on the (host) server > > I give John root access to a jail (just for him to play with), and he > then sets vi (for example) to setuid root. He then sshs into the host, > and uses > > $ /usr/jail/johnsandbox/usr/bin/vi /usr/local/etc/sudoers > > He now has root! > > Am I completely thick not to have noticed this, or should there be a > warning about people being allowed to have root in a jail where they > have unprivileged access to the host? Or have I missed the point of a > jail? > > Regards > > Chris > -- > R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d189324c0901150948w6cb1734bi10aa22e104e12a5e>