From owner-freebsd-security@FreeBSD.ORG Sat Jan 17 12:01:38 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0F911065688 for ; Sat, 17 Jan 2009 12:01:38 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.171]) by mx1.freebsd.org (Postfix) with ESMTP id 823018FC2C for ; Sat, 17 Jan 2009 12:01:38 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: by wf-out-1314.google.com with SMTP id 24so2209122wfg.7 for ; Sat, 17 Jan 2009 04:01:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=2R1860WFlw8JjYvI8U25T/89DxNWsLbjJvUzXuGATsE=; b=F/AzLyBrLPsbROFxfQn8B0paMoZhHdv9h0RIU1/8tjBRyHbzEBLYCdVwEAYua2zhd5 HBcjV/pyCSCCbT/JhG1p/8QUSqCQANmGKENBmZp1pFeVdKHV/364ckxiv9lT4T4wRAkg dE1sRLynEljDXQZuDB2vnxzC0xYMmedNfKVmc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; b=PMU/BoHSKWAmOVzHY61Wmsb5nqTVTMhpCWg7o9+Up402ABexfwsRm1Gc8nu/83oz+o ht7MRH9eEKJDqHkC8MeGcXNZohoaHhctDKpYpL6Ye5M4ui9YivEUGm0UFqi1XQVGmMB0 GGpfoZstKAq/y1sZwMexjpjwHZzwNQ3gpclhE= MIME-Version: 1.0 Received: by 10.142.86.7 with SMTP id j7mr1482074wfb.15.1232193698109; Sat, 17 Jan 2009 04:01:38 -0800 (PST) In-Reply-To: References: <20AB93FA-080E-47D6-8075-B591A7DBCF38@demter.de> Date: Sat, 17 Jan 2009 12:01:38 +0000 Message-ID: From: Chris Rees To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Thoughts on jail privilege (FAQ submission) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jan 2009 12:01:40 -0000 ---------- Forwarded message ---------- From: Chris Rees Date: 2009/1/17 Subject: Re: Thoughts on jail privilege (FAQ submission) To: Jan Demter 2009/1/17 Jan Demter : > Am 15.01.2009 um 19:31 schrieb Jon Passki: > >> Another thing to think about is user IDs. You could have a user ID >> in your host of 1001. Your jail could have a completely different user >> account, but collide on the user ID of 1001. Your host user ID 1001 will >> have access to those jail user ID 1001 files, unless you restrict a parent >> directory. That was the use case I came across and avoided. > > I do not think restricting directories will help you a lot against these > attacks. > User 1001 on the host has access to all running processes of user 1001 in > the jail and should be able to simply inject code to read the files via > debugging interfaces. > As Snuggles said, best practice is to not allow access to the host to > anyone. If you have to, you should avoid collisions of user IDs. > > Greetings > Jan > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > I find it quite strange that user 1001 can send signals to a jailed process of UID 1001. Is that intentional, or would it be a *lot* of working round to check the UID _and_ JID when signals are sent etc? I appreciate that UID collisions should be avoided, but I also think the documentation should cover these gotchas. The Handbook is beautiful, and taught me FreeBSD from start to finish, so I don't consider it an advanced-users only reference. I appreciate that jails are quite advanced, but I do think the security concerns should be listed. We all forget things :) I might post to the doc list later to suggest this. I'll provide a patch if necessary. Chris -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf)