From owner-freebsd-questions@FreeBSD.ORG  Tue May 20 04:17:15 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 12C8A37B401
	for <freebsd-questions@freebsd.org>;
	Tue, 20 May 2003 04:17:15 -0700 (PDT)
Received: from pip.lemonia.org (pc-80-192-57-7-az.blueyonder.co.uk
	[80.192.57.7])	by mx1.FreeBSD.org (Postfix) with ESMTP id 38BC743FA3
	for <freebsd-questions@freebsd.org>;
	Tue, 20 May 2003 04:17:13 -0700 (PDT)
	(envelope-from lemon@aldigital.co.uk)
Received: (qmail 49326 invoked from network); 20 May 2003 11:18:00 -0000
Received: from unknown (HELO aldigital.co.uk) (192.168.1.3)
  by 192.168.1.4 with SMTP; 20 May 2003 11:18:00 -0000
Message-ID: <3ECA0EB6.3020500@aldigital.co.uk>
Date: Tue, 20 May 2003 12:17:10 +0100
From: lemon <lemon@aldigital.co.uk>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4a) Gecko/20030408
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: jail manipulation of routing table
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2003 11:17:15 -0000


hi,

i'm puzzled about a jail'd root user's ability to manipulate the host's 
routing table - i was under the impression that this shouldn't be 
allowed [0].

the scary bit is the jail'd root can drop the host's default route.

should this be the case? have i missed some sysctl knob?

maybe i need to patch kern/uipc_socket.c's socreate to be less 
permissive with the unixiproute_only sysctl (rendering it a misnomer, 
perhaps another sysctl altogether would be better).

jail# route add -host 1.2.3.4 5.6.7.8
add host 1.2.3.4: gateway 5.6.7.8

host$ netstat -nr | grep 1.2.3.4
1.2.3.4            5.6.7.8            UGHS        0        0    rl0

host$ sysctl -a | grep jail
jail.set_hostname_allowed: 0
jail.socket_unixiproute_only: 1
jail.sysvipc_allowed: 0

host$ uname -a
FreeBSD 4.8-STABLE FreeBSD 4.8-STABLE #5: Sun May 18 23:04:37 BST 2003 
    root@pith.lemonia.org:/usr/obj/usr/src/sys/pith  i386

regards, l.

[0] <http://docs.freebsd.org/44doc/papers/jail/jail.html>

-- 
lemon@aldigital.co.uk	+44 020 8742 0755   http://www.aldigital.co.uk/
system administrivia         c6 h8 o7         http://www.thebunker.net/