Date: Tue, 13 Mar 2018 17:41:28 -0400 From: Theron Tarigo <theron.tarigo@gmail.com> To: Kristoffer Eriksson <ske@pkmab.se> Cc: freebsd-hackers@freebsd.org Subject: Re: GSoC Idea: per-process filesystem namespaces for FreeBSD Message-ID: <a6d837e2-a1f5-b1d7-c0ed-eb3b401a0377@gmail.com> In-Reply-To: <201803132055.aa28780@berenice.pkmab.se> References: <201803132055.aa28780@berenice.pkmab.se>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Kristoffer, That will of course need to be worked out, since it is the classic safety problem of chroot. The first idea I can think of is that any user-switching (i.e. executing setuid files) resets the namespace, similarly to "su - " resetting the environment variables by way of simulating a new login. Maybe it will not work out to be so simple, as I can see there will be a lot of research ahead for me, but I feel strongly that it will not be insurmountable. If I implement this as a special filesystem rather than as a modification to the vfs, it can be as simple as not allowing any setuid, as with the "nosuid" option of existing filesystems. As I understand it, Plan9 uses namespaces so thoroughly that a superuser is not needed and all restrictions of privilege are accomplished through launching "unprivileged" processes into a namespace that contains only the resources that user should have access to. While this may make sense within Plan9, it is sufficiently alien to the Unix ways of handling security that I don't think it makes any sense to try to do things this way on FreeBSD. There will probably always be security risks associated with anything running as uid 0 regardless of restrictions to its environment.* What I am trying to accomplish is to stay roughly within the Unix model but to provide a layer of flexibility appropriate for addressing a specific need, and the solution I have in mind happens to parallel a Plan9 concept. Theron * """ In addition, there are several ways in which an unprivileged user outside the jail can cooperate with a privileged user inside the jail and thereby obtain elevated privileges in the host environment. """ - JAIL(8) manual On 03/13/18 15:55, Kristoffer Eriksson wrote: > On 13 Mar 2018 12:53:18, Theron <theron.tarigo@gmail.com> wrote: >> For those unfamiliar with Plan9, here is a rough explanation of the >> namespace feature: unlike in Unix, where all processes share the same >> virtual filesystem, each process instead has its own view of the >> filesystem according to what has been mounted ... > What if I mount a new /etc with a passwd file where root has no > password, and then run "su"? > > (How does Plan9 handle that?) > > Regards/Kristoffer Eriksson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a6d837e2-a1f5-b1d7-c0ed-eb3b401a0377>