Date: Tue, 30 Sep 2008 17:16:38 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: George Mamalakis <mamalos@eng.auth.gr> Cc: freebsd-stable@FreeBSD.org Subject: Re: jails and mac_seeotheruids problems in 6-STABLE Message-ID: <alpine.BSF.1.10.0809301715540.75798@fledge.watson.org> In-Reply-To: <48E21BD9.1080101@eng.auth.gr> References: <48E1EBE1.50206@eng.auth.gr> <alpine.BSF.1.10.0809301040490.71734@fledge.watson.org> <48E21BD9.1080101@eng.auth.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 30 Sep 2008, George Mamalakis wrote: > It works like a charm! Thank you very much for your time and help, No problem -- I've gone ahead and committed that change to stable/6. If you're able to test 6.4RC1 when it comes out to confirm that the fix works there as desired, that would be most helpful. Thanks, Robert N M Watson Computer Laboratory University of Cambridge > > regards, > > > Robert Watson wrote: >> >> On Tue, 30 Sep 2008, George Mamalakis wrote: >> >>> I have 3 servers in my lab. 2 of them are running 6-STABLE and one of them >>> is running 7-STABLE. All three have services running in jails. I noticed a >>> very peculiar behavior in 6-STABLE when I set the sysctl >>> security.mac.seeotheruids.enabled=1. The root user in my jails was not >>> able to see processes and sockets owned by other users of the same jail, >>> whereas the root user of the host system could see every process (thank >>> the Almighty). The same behavior does not apply on the server running >>> 7-STABLE. >>> >>> In one sense it is more secure, since the root user in a jail is not as >>> "strong" as the root user should be in a UNIX system. On the other hand, >>> the root user looses its purpose of existence, which I suppose is a bug. >>> >>> Below are the security.mac sysctl settings of both 6 and 7-STABLE: >> >> Could you try modifying >> src/sys/security/mac_seeotheruids/mac_seeotheruids.c in a 6.x tree so that >> the call to suser_cred() in mac_seeotheruids_check() passes the >> SUSER_ALLOWJAIL flag rather than 0? This may correct the problem you're >> experiencing. Let me know and I can merge that change to 6.x. >> >> Robert N M Watson >> Computer Laboratory >> University of Cambridge >> >>> >>> 6-STABLE: >>> >>> security.mac.max_slots: 4 >>> security.mac.enforce_network: 1 >>> security.mac.enforce_pipe: 1 >>> security.mac.enforce_posix_sem: 1 >>> security.mac.enforce_suid: 1 >>> security.mac.mmap_revocation_via_cow: 0 >>> security.mac.mmap_revocation: 1 >>> security.mac.enforce_vm: 1 >>> security.mac.enforce_process: 1 >>> security.mac.enforce_socket: 1 >>> security.mac.enforce_system: 1 >>> security.mac.enforce_kld: 1 >>> security.mac.enforce_sysv_msg: 1 >>> security.mac.enforce_sysv_sem: 1 >>> security.mac.enforce_sysv_shm: 1 >>> security.mac.enforce_fs: 1 >>> security.mac.seeotheruids.specificgid: 0 >>> security.mac.seeotheruids.specificgid_enabled: 0 >>> security.mac.seeotheruids.primarygroup_enabled: 0 >>> security.mac.seeotheruids.enabled: 1 >>> security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443 >>> security.mac.portacl.port_high: 1023 >>> security.mac.portacl.autoport_exempt: 1 >>> security.mac.portacl.suser_exempt: 1 >>> security.mac.portacl.enabled: 1 >>> >>> >>> 7-STABLE: >>> >>> security.mac.max_slots: 4 >>> security.mac.version: 3 >>> security.mac.mmap_revocation_via_cow: 0 >>> security.mac.mmap_revocation: 1 >>> security.mac.seeotheruids.specificgid: 0 >>> security.mac.seeotheruids.specificgid_enabled: 0 >>> security.mac.seeotheruids.suser_privileged: 1 >>> security.mac.seeotheruids.primarygroup_enabled: 0 >>> security.mac.seeotheruids.enabled: 1 >>> >>> I would be very glad if someone could inform me whether I am doing >>> something wrong; if not I think I should inform FreeBSD about this bug. >>> >>> Thank you guys in advance, >>> >>> -- >>> George Mamalakis >>> >>> IT Officer >>> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), >>> MSc (Imperial College of London) >>> >>> Department of Electrical and Computer Engineering >>> Faculty of Engineering >>> Aristotle University of Thessaloniki >>> >>> phone number : +30 (2310) 994379 >>> >>> _______________________________________________ >>> freebsd-stable@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >>> > > -- > George Mamalakis > > IT Officer > Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), > MSc (Imperial College of London) > > Department of Electrical and Computer Engineering > Faculty of Engineering > Aristotle University of Thessaloniki > > phone number : +30 (2310) 994379 > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.1.10.0809301715540.75798>