From owner-freebsd-security  Fri Dec  7  8:53:17 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 40EDD37B417; Fri,  7 Dec 2001 08:53:12 -0800 (PST)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id fB7Gqwi43953;
	Fri, 7 Dec 2001 11:52:58 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Fri, 7 Dec 2001 11:52:57 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: "Crist J . Clark" <cjc@FreeBSD.ORG>
Cc: alexus <ml@db.nexgen.com>, freebsd-security@FreeBSD.ORG
Subject: Re: identd inside of jail
In-Reply-To: <20011206003719.S3061@blossom.cjclark.org>
Message-ID: <Pine.NEB.3.96L.1011207115009.42818D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


This problem is fixed in 5.0-CURRENT as it performs two checks in udp and
tcp getcred: first, it checks for privilege (and permits the jail to
succeed), and second, it checks whether the connection in question is
visible to the current jail.  I do not currently plan to merge these
changes to -STABLE, as they rely on changes merging the pcred and ucred
structures, which in turn depend on a lot of other changes throughout the
kernel in 5.0-CURRENT.  As a follow-up note, the credential management
code in 5.0-CURRENT is substantially rewritten, and the result is much
better enforcement of process and resource visibility, both from the
perspective of jail, and from limiting users from seeing resources created
by other users (such as TCP connections) when dictated by policy.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services

On Thu, 6 Dec 2001, Crist J . Clark wrote:

> On Wed, Dec 05, 2001 at 06:44:26PM -0500, alexus wrote:
> > Hello
> > 
> > I'm posting on this thread on this list due to jail itself is a security
> > related issue, if this is wrong list i'll repost it on another list.
> > 
> > did anyone sucseed on making identd (from inetd) or any other identd to work
> > inside of jail?
> 
> I don't think the auth service in inetd(8) will work in a jail. I
> believe the "net.inet.tcp.getcred" sysctl(3) fails.
> 
> > the identd itself is working, however to make it work for outside world too
> > i put forward for port 113 using natd
> > 
> > su-2.05# grep 113 /etc/natd.conf
> > redirect_port tcp jail:113 113
> 
> And running it through a NATing gateway opens up a whole bunch of other
> issues that have nothing to do with jail(8).
> -- 
> "It's always funny until someone gets hurt. Then it's hilarious."
> 
> Crist J. Clark                     |     cjclark@alum.mit.edu
>                                    |     cjclark@jhu.edu
> http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message