From owner-freebsd-hackers@FreeBSD.ORG Mon May 29 17:47:39 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3804916A50C for ; Mon, 29 May 2006 17:47:39 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11DE843D5F for ; Mon, 29 May 2006 17:47:33 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id C32AF46C93; Mon, 29 May 2006 13:47:32 -0400 (EDT) Date: Mon, 29 May 2006 18:47:32 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Anatoli Klassen In-Reply-To: <447B076E.1080503@aksoft.net> Message-ID: <20060529183954.D79162@fledge.watson.org> References: <4479A99E.8080708@aksoft.net> <20060528152510.GA39279@walton.maths.tcd.ie> <447B076E.1080503@aksoft.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: David Malone , freebsd-hackers@freebsd.org Subject: Re: security.bsd.see_other_uids for jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 17:47:42 -0000 On Mon, 29 May 2006, Anatoli Klassen wrote: > David Malone wrote: >> On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote: >>> if security.bsd.see_other_uids is set to 0, users from the main system can >>> still see processes from jails if they have (by accident) the save uid. >>> >>> For me it's wrong behavior because the main system and the jail are two >>> different systems where uids are independent. >> >> You could try the following (untested) patch to the MAC seeotheruid >> module. You'd need to compile a kernel with the MAC option and then: > > Thanks for the patch, maybe I'll need something like that for my > environment. > > But my question is if it's really intended that jail is not real virtual > system but just a way to limit interaction from jail to host and not vice > versa. > > If it's the case than this has to be specified in jail(8). Yes, this is a documentation bug. It is more precise to think of jail as a subsetting service than a virtualizing service: processes in jails see a subset of the system resources, rather than virtualized versions. So, for example, they see a subset of the file system name space, a subset of the IP/port name space, a subset of the process list, etc. This means that applications in the "host" environment overlap with the jail environments by virtue of also having access to that subset, as they can directly name files in the file system subset, IP and port bindings, processes, and so on. This does appear unclear from a quick skim of the man page, so something on the order of the above, with practical suggestions on what this implies, is required in the page. Robert N M Watson