From owner-freebsd-security@FreeBSD.ORG  Thu Jan 15 18:15:21 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 79F9E106564A
	for <freebsd-security@freebsd.org>;
	Thu, 15 Jan 2009 18:15:21 +0000 (UTC)
	(envelope-from jared@w00ttech.com)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31])
	by mx1.freebsd.org (Postfix) with ESMTP id 398D18FC19
	for <freebsd-security@freebsd.org>;
	Thu, 15 Jan 2009 18:15:21 +0000 (UTC)
	(envelope-from jared@w00ttech.com)
Received: by yw-out-2324.google.com with SMTP id 9so491788ywe.13
	for <freebsd-security@freebsd.org>;
	Thu, 15 Jan 2009 10:15:20 -0800 (PST)
Received: by 10.100.45.9 with SMTP id s9mr382868ans.103.1232041739210;
	Thu, 15 Jan 2009 09:48:59 -0800 (PST)
Received: by 10.100.8.18 with HTTP; Thu, 15 Jan 2009 09:48:59 -0800 (PST)
Message-ID: <d189324c0901150948w6cb1734bi10aa22e104e12a5e@mail.gmail.com>
Date: Thu, 15 Jan 2009 09:48:59 -0800
From: Snuggles <snuggles@w00ttech.com>
To: utisoft@gmail.com
In-Reply-To: <b79ecaef0901150909t54acd194t8236ded99fa2150b@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <b79ecaef0901150909t54acd194t8236ded99fa2150b@mail.gmail.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Thoughts on jail privilege (FAQ submission)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2009 18:15:21 -0000

The best practice that I've been following is to not offer any
services on the host install and do not allow users to login to the
host.  The only accounts on the host are root, and my admin user.

On Thu, Jan 15, 2009 at 9:09 AM, Chris Rees <utisoft@googlemail.com> wrote:
> Hey all,
>
> I think that there should be a warning (on the jail man page or
> handbook page perhaps), on setuid in jails. Ex:
>
> John <-- user on the (host) server
>
> I give John root access to a jail (just for him to play with), and he
> then sets vi (for example) to setuid root. He then sshs into the host,
> and uses
>
> $ /usr/jail/johnsandbox/usr/bin/vi /usr/local/etc/sudoers
>
> He now has root!
>
> Am I completely thick not to have noticed this, or should there be a
> warning about people being allowed to have root in a jail where they
> have unprivileged access to the host? Or have I missed the point of a
> jail?
>
> Regards
>
> Chris
> --
> R< $&h ! > $- ! $+      $@ $2 < @ $1 .UUCP. > (sendmail.cf)
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>