Date: Mon, 9 Sep 2002 10:27:19 -0400 (EDT) From: Adrian Filipi-Martin <adrian+freebsd-security@ubergeeks.com> To: Benjamin Krueger <benjamin@seattleFenix.net> Cc: Hans Zaunere <zaunere@yahoo.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: jail() House Rock Message-ID: <20020909102116.M8908-100000@lorax.ubergeeks.com> In-Reply-To: <20020908044125.C98271@mail.seattleFenix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 8 Sep 2002, Benjamin Krueger wrote: > Think carefully about exactly what kind of privileges your clients get. A > friend asked me recently if his users could escalate privileges if they have a > normal user account on the main server, and root inside the jail. After some > thinking we outlined a situation in which the user creates a suid binary to > escalate any user to root inside the jail, and then runs it as a normal user > outside the jail. Instant root. We stumbled accross this situation a year or so ago as we converted our development environments to be jails on the developer workstations. A reasonable solution is to block access to the jailed filesystems from non-jailed accounts. Just do the following: install -m u=rwx,go= -d /usr/fence install -d /usr/fence/jail Then use the fenced off directory as your jail root. We are successfully running desktops with multiple developer jails in this sort of configuration and things work great. This exclued anyone but root from using suid binaries from a jail, and well, root's already root. Adrian -- [ adrian@ubergeeks.com ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020909102116.M8908-100000>