Date: Fri, 7 Dec 2001 11:52:57 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.ORG> To: "Crist J . Clark" <cjc@FreeBSD.ORG> Cc: alexus <ml@db.nexgen.com>, freebsd-security@FreeBSD.ORG Subject: Re: identd inside of jail Message-ID: <Pine.NEB.3.96L.1011207115009.42818D-100000@fledge.watson.org> In-Reply-To: <20011206003719.S3061@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This problem is fixed in 5.0-CURRENT as it performs two checks in udp and tcp getcred: first, it checks for privilege (and permits the jail to succeed), and second, it checks whether the connection in question is visible to the current jail. I do not currently plan to merge these changes to -STABLE, as they rely on changes merging the pcred and ucred structures, which in turn depend on a lot of other changes throughout the kernel in 5.0-CURRENT. As a follow-up note, the credential management code in 5.0-CURRENT is substantially rewritten, and the result is much better enforcement of process and resource visibility, both from the perspective of jail, and from limiting users from seeing resources created by other users (such as TCP connections) when dictated by policy. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Thu, 6 Dec 2001, Crist J . Clark wrote: > On Wed, Dec 05, 2001 at 06:44:26PM -0500, alexus wrote: > > Hello > > > > I'm posting on this thread on this list due to jail itself is a security > > related issue, if this is wrong list i'll repost it on another list. > > > > did anyone sucseed on making identd (from inetd) or any other identd to work > > inside of jail? > > I don't think the auth service in inetd(8) will work in a jail. I > believe the "net.inet.tcp.getcred" sysctl(3) fails. > > > the identd itself is working, however to make it work for outside world too > > i put forward for port 113 using natd > > > > su-2.05# grep 113 /etc/natd.conf > > redirect_port tcp jail:113 113 > > And running it through a NATing gateway opens up a whole bunch of other > issues that have nothing to do with jail(8). > -- > "It's always funny until someone gets hurt. Then it's hilarious." > > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1011207115009.42818D-100000>