Date: Wed, 11 May 2011 05:28:16 +0000 (UTC) From: Janne Snabb <snabb@epipe.com> To: Bakul Shah <bakul@bitblocks.com> Cc: Jamie Landeg Jones <jamie@bishopston.net>, Jason Hellenthal <jhell@DataIX.net>, feld@feld.me, Edho P Arief <edhoprima@gmail.com>, freebsd-security@freebsd.org, Poul-Henning Kamp <phk@phk.freebsd.dk>, =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) Message-ID: <alpine.BSF.2.00.1105110456050.33272@tiktik.epipe.com> In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com> References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 May 2011, Bakul Shah wrote: > Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required. I do not think that this should be enforced in kernel, in the jail(8) command nor anywhere else. UNIX rm(1) is not opening a pop-up window asking "are you sure?" if you do "rm -rf /". The OS should not impose arbitrary restrictions based on some random assumptions on how a particular OS facility is going to be used. I can easily think of several scenarios where such a restriction would cause more trouble than benefit. One example: I might have zero unprivileged users in the jail host (thus the restriction would be unnecessary). I need to run a cron job in the jail host which updates some data within the jails. I rather not do this as root but instead use a separate non-root user for the purpose (as it is generally a good practice to run everything as non-root unless it is really necessary to be root). The proposed restriction would defeat this possibility and force me to run all jail-related tasks as root in the jail host, which might open it up to some other potential security issues. This should go in to the documentation as a recommendation for some common jail use cases, but seriously, really not in the code, please. In UNIX we do not want to prevent people from shooting themselves in the foot. We should assume that the system administrator knows what they want and should not restrict their freedom to do so. Just my thoughts, -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1105110456050.33272>