From owner-freebsd-security Thu Feb 6 2:42:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64D9D37B405 for ; Thu, 6 Feb 2003 02:42:23 -0800 (PST) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7360043FAF for ; Thu, 6 Feb 2003 02:42:22 -0800 (PST) (envelope-from gemini@geminix.org) Received: from pd9e10760.dip.t-dialin.net ([217.225.7.96] helo=geminix.org) by geminix.org with asmtp (TLSv1:RC4-MD5:128) (Exim 3.36 #1) id 18gjTy-000I3d-00; Thu, 06 Feb 2003 11:42:14 +0100 Message-ID: <3E423C04.3060106@geminix.org> Date: Thu, 06 Feb 2003 11:42:12 +0100 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Passwords in Jails References: <5.2.0.9.0.20030205075601.061cefe0@192.168.0.12> In-Reply-To: <5.2.0.9.0.20030205075601.061cefe0@192.168.0.12> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Tancsa wrote: > At 08:43 AM 2/5/2003 +0100, Alex Huth wrote: > >> Where can I solve this problem or is there a possibility to manage >> passwords/public keys of a jail from the basesystem? > > Yes, just manipulate the master.passwd file directly from outside your > jail, or cp your public key to the appropriate authorized_keys2 file, as > you have access to the entire file system from the base system. You may want to make sure, though, that the Jail is not running before you do so. Writing to a Jail from the outside is a major security headache if it is inhabited by untrusted users. Imagine what happens when the user does this (or similar things) in his '/etc': ln -sf /etc/master.passwd master.passwd You'd end up changing the respective file in your base system. Stopping the Jail prevents races, so you can inspect files in a safe manner before you actually change them. Chrooting into the Jail and changing files from there might help as well: chroot /path/to/jail/root Uwe -- Uwe Doering Berlin, Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message