Date: Sun, 28 May 2006 16:38:59 +0200 From: Anatoli Klassen <anatoli@aksoft.net> To: freebsd-hackers@freebsd.org Subject: Re: security.bsd.see_other_uids for jails Message-ID: <4479B603.5030303@aksoft.net> In-Reply-To: <20060528135012.GB14541@britannica.bec.de> References: <4479A99E.8080708@aksoft.net> <20060528135012.GB14541@britannica.bec.de>
next in thread | previous in thread | raw e-mail | index | archive | help
joerg@britannica.bec.de wrote: > On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote: >> Hi All, >> >> if security.bsd.see_other_uids is set to 0, users from the main system >> can still see processes from jails if they have (by accident) the save uid. >> >> For me it's wrong behavior because the main system and the jail are two >> different systems where uids are independent. > > Sorry but you have far bigger security problems if you create such a > setup. E.g. "users" from the outer system can ptrace the processes in > the jail with the same uid. > But ptrace uses the same function p_cansee for security check. Does it mean than "outer" user is more privileged as "jailed" root? Is it intended? Regards, Anatoli
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4479B603.5030303>