Re: jail() House Rock

From: Nomad (mailman@crypton.pl)
Date: 09/10/02


Date: Tue, 10 Sep 2002 16:25:42 +0200
From: Nomad <mailman@crypton.pl>
To: freebsd-security@freebsd.org

So, you are wrong and I have to correct you.
To read a file in way you described user has to have x permission to all subdirectories and x permission to executable file.
We assume, that you have x permission to executable, but for root directory of jail you don't.

On Mon, Sep 09, 2002 at 08:49:34AM -0600, bsd@xtremedev.com wrote:
> > A reasonable solution is to block access to the jailed filesystems
> > from non-jailed accounts. Just do the following:
> >
> > install -m u=rwx,go= -d /usr/fence
> > install -d /usr/fence/jail
> >
> > Then use the fenced off directory as your jail root. We are
> > successfully running desktops with multiple developer jails in this sort of
> > configuration and things work great. This exclued anyone but root from
> > using suid binaries from a jail, and well, root's already root.
>
> Er, I don't believe this solves the issue. If the user knows the full path
> from the host system to the suid binary s/he created in the jail, s/he can
> access it directly as a regular use in the host environment. Ie., typing
> in:
>
> /usr/fence/jail/usr/home/baduser/bin/rootshell
>
> Please correct me if I'm wrong or if I've misunderstood.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message