Date: Sat, 17 Jan 2009 12:01:38 +0000 From: Chris Rees <utisoft@googlemail.com> To: freebsd-security@freebsd.org Subject: Re: Thoughts on jail privilege (FAQ submission) Message-ID: <b79ecaef0901170401m5b34e7ccle2984a14519f31ba@mail.gmail.com> In-Reply-To: <b79ecaef0901170359n32c03a9w4d13a60b0dd297aa@mail.gmail.com> References: <b79ecaef0901150909t54acd194t8236ded99fa2150b@mail.gmail.com> <cc6847e40901151031w68a5156bsf99a9ac563ef9f01@mail.gmail.com> <20AB93FA-080E-47D6-8075-B591A7DBCF38@demter.de> <b79ecaef0901170359n32c03a9w4d13a60b0dd297aa@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
---------- Forwarded message ---------- From: Chris Rees <utisoft@googlemail.com> Date: 2009/1/17 Subject: Re: Thoughts on jail privilege (FAQ submission) To: Jan Demter <jan-mailinglists@demter.de> 2009/1/17 Jan Demter <jan-mailinglists@demter.de>: > Am 15.01.2009 um 19:31 schrieb Jon Passki: > >> Another thing to think about is user IDs. You could have a user ID >> in your host of 1001. Your jail could have a completely different user >> account, but collide on the user ID of 1001. Your host user ID 1001 will >> have access to those jail user ID 1001 files, unless you restrict a parent >> directory. That was the use case I came across and avoided. > > I do not think restricting directories will help you a lot against these > attacks. > User 1001 on the host has access to all running processes of user 1001 in > the jail and should be able to simply inject code to read the files via > debugging interfaces. > As Snuggles said, best practice is to not allow access to the host to > anyone. If you have to, you should avoid collisions of user IDs. > > Greetings > Jan > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > I find it quite strange that user 1001 can send signals to a jailed process of UID 1001. Is that intentional, or would it be a *lot* of working round to check the UID _and_ JID when signals are sent etc? I appreciate that UID collisions should be avoided, but I also think the documentation should cover these gotchas. The Handbook is beautiful, and taught me FreeBSD from start to finish, so I don't consider it an advanced-users only reference. I appreciate that jails are quite advanced, but I do think the security concerns should be listed. We all forget things :) I might post to the doc list later to suggest this. I'll provide a patch if necessary. Chris -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b79ecaef0901170401m5b34e7ccle2984a14519f31ba>