Re: jail() House Rock

From: Adrian Filipi-Martin (adrian+freebsd-security@ubergeeks.com)
Date: 09/09/02

• Next message: bsd@xtremedev.com: "Re: jail() House Rock"
• Previous message: J.D. Bronson: "(no subject)"
• In reply to: Benjamin Krueger: "Re: jail() House Rock"
• Next in thread: bsd@xtremedev.com: "Re: jail() House Rock"
• Reply: bsd@xtremedev.com: "Re: jail() House Rock"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 9 Sep 2002 10:27:19 -0400 (EDT)
From: Adrian Filipi-Martin <adrian+freebsd-security@ubergeeks.com>
To: Benjamin Krueger <benjamin@seattleFenix.net>

On Sun, 8 Sep 2002, Benjamin Krueger wrote:

> Think carefully about exactly what kind of privileges your clients get. A
> friend asked me recently if his users could escalate privileges if they have a
> normal user account on the main server, and root inside the jail. After some
> thinking we outlined a situation in which the user creates a suid binary to
> escalate any user to root inside the jail, and then runs it as a normal user
> outside the jail. Instant root.

        We stumbled accross this situation a year or so ago as we converted
our development environments to be jails on the developer workstations.

        A reasonable solution is to block access to the jailed filesystems
from non-jailed accounts. Just do the following:

        install -m u=rwx,go= -d /usr/fence
        install -d /usr/fence/jail

        Then use the fenced off directory as your jail root. We are
successfully running desktops with multiple developer jails in this sort of
configuration and things work great. This exclued anyone but root from
using suid binaries from a jail, and well, root's already root.

        Adrian

--
[ adrian@ubergeeks.com ]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: bsd@xtremedev.com: "Re: jail() House Rock"
• Previous message: J.D. Bronson: "(no subject)"
• In reply to: Benjamin Krueger: "Re: jail() House Rock"
• Next in thread: bsd@xtremedev.com: "Re: jail() House Rock"
• Reply: bsd@xtremedev.com: "Re: jail() House Rock"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages permissions - again... ... developer (not as root). ... I typically use Eclipse to build program ... certain things that require root privileges momentarily. ... (comp.os.linux.development.apps) Re: getaffinity/setaffinity and cpu sets. ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... One place I'd like to implement CPU affinity is in the Sun Grid Engine ... (freebsd-arch) Re: getaffinity/setaffinity and cpu sets. ... The notion would be that you can create a new numbered cpuset with cpuset. ... You can modify or inspect its affinity with get/setaffinity above and the CPU_WHICH_SET argument. ... This set would not be modifiable by user processes or by processes in a jail. ... Another option would be to expel the offending thread from the set that is in violation and reparent it to the real system root along with a syslog message or similar. ... (freebsd-arch) Re: getaffinity/setaffinity and cpu sets. ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... be allocated a set of cpus that they can't change, ... (freebsd-arch) Re: chroot versus jail for the name daemon ... > assuming named is running as user and group bind (rather than as root)? ... > 3) What happens if named is broken while in a jail, ... That means an attacker can set things up so ... (freebsd-questions)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint