Date: Mon, 3 Mar 2003 15:08:22 -0800 From: "Mooneer Salem" <mooneer@translator.cx> To: "Pawel Jakub Dawidek" <nick@garage.freebsd.pl> Cc: "FreeBSD Hackers" <freebsd-hackers@freebsd.org> Subject: RE: Jail seperation patch Message-ID: <FHEMJMOKKMJDGKFOHHEPKEHPFEAA.mooneer@translator.cx> In-Reply-To: <20030227154351.GQ330@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, My test settings are as follows: Host system (pacific.lifeafterking.org): 10.0.0.2, 10.0.0.3, 10.0.0.4 Jail (test.lifeafterking.org): 10.0.0.3, 10.0.0.4 I also made a new patch which fixes these issues: 1. Telnetting to 0.0.0.0 in the jail now redirects to the first jail IP. 2. Non-root users outside a jail cannot access any files inside a jail (sysctl controllable) The patch can be downloaded at http://msalem.translator.cx/dist/jail_seperation.v6.patch. Thanks, -- Mooneer Salem GPLTrans: http://www.translator.cx/ lifeafterking.org: http://www.lifeafterking.org/ -----Original Message----- From: owner-freebsd-hackers@FreeBSD.ORG [mailto:owner-freebsd-hackers@FreeBSD.ORG]On Behalf Of Pawel Jakub Dawidek Sent: Thursday, February 27, 2003 7:44 AM To: Mooneer Salem Cc: FreeBSD Hackers Subject: Re: Jail seperation patch On Thu, Feb 27, 2003 at 07:16:15AM -0800, Mooneer Salem wrote: +> Actually, I just gave it blah.lifeafterking.org in /etc/hosts. 10.0.0.4 +> really *is* in the same jail: +> +> %ifconfig +> lnc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 +> inet 10.0.0.3 netmask 0xffffffff broadcast 10.0.0.3 +> inet 10.0.0.4 netmask 0xffffffff broadcast 10.0.0.4 +> ether 00:50:56:e0:26:54 +> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 +> %hostname +> test.lifeafterking.org +> % Ehh, so now I know nothing about your test settings. After all problems isn't so trivial. +> As for the hide files code, I found a possible location for it, in +> vfs_subr.c (extattr_check_cred()). I added +> this block to it: [...] IMHO very dirty and not complete. Jail don't have to be chrooted to diferent mount-point, and checks like those should be done between vnodes, not pathnames. In my opinion better way is just create another jail and don't give access to main host for regular users. -- Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FHEMJMOKKMJDGKFOHHEPKEHPFEAA.mooneer>