Date: Tue, 10 Sep 2002 16:25:42 +0200 From: Nomad <mailman@crypton.pl> To: freebsd-security@freebsd.org Subject: Re: jail() House Rock Message-ID: <20020910142542.GA12567@killer.crypton.pl> In-Reply-To: <20020909084601.K27444-100000@Amber.XtremeDev.com> References: <20020909102116.M8908-100000@lorax.ubergeeks.com> <20020909084601.K27444-100000@Amber.XtremeDev.com>
next in thread | previous in thread | raw e-mail | index | archive | help
So, you are wrong and I have to correct you. To read a file in way you described user has to have x permission to all subdirectories and x permission to executable file. We assume, that you have x permission to executable, but for root directory of jail you don't. On Mon, Sep 09, 2002 at 08:49:34AM -0600, bsd@xtremedev.com wrote: > > A reasonable solution is to block access to the jailed filesystems > > from non-jailed accounts. Just do the following: > > > > install -m u=rwx,go= -d /usr/fence > > install -d /usr/fence/jail > > > > Then use the fenced off directory as your jail root. We are > > successfully running desktops with multiple developer jails in this sort of > > configuration and things work great. This exclued anyone but root from > > using suid binaries from a jail, and well, root's already root. > > Er, I don't believe this solves the issue. If the user knows the full path > from the host system to the suid binary s/he created in the jail, s/he can > access it directly as a regular use in the host environment. Ie., typing > in: > > /usr/fence/jail/usr/home/baduser/bin/rootshell > > Please correct me if I'm wrong or if I've misunderstood. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020910142542.GA12567>