Date: Tue, 10 May 2011 22:31:48 +0200 From: William Palfreman <william@palfreman.com> To: Bakul Shah <bakul@bitblocks.com> Cc: Jamie Landeg Jones <jamie@bishopston.net>, feld@feld.me, Edho P Arief <edhoprima@gmail.com>, freebsd-security@freebsd.org, Poul-Henning Kamp <phk@phk.freebsd.dk>, =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= <des@des.no>, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) Message-ID: <BANLkTimipYmJ3hczPE3-QmqKOu9W9iFUQQ@mail.gmail.com> In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com> References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10 May 2011 19:49, Bakul Shah <bakul@bitblocks.com> wrote: > Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required. If you do that then you can't us the jail with a non-root jailed user, and I never want to give what is running in a jail anything more than very unprivileged access. All I do is this: /var - as normal /var/jails - 0700 /var/jails/jail1 - 0755 /var/jails/jail2 - 0755 etc. If an unprivialged user outside the jail was also root inside the jail, he wouldn't be able to get into the /var/jails directory to do any suid rooting.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTimipYmJ3hczPE3-QmqKOu9W9iFUQQ>