Re: jail() House Rock
From: Nomad (email@example.com)
- Next message: Derek Ragona: "4.6.2 sendmail anomaly"
- Previous message: Lupe Christoph: "Re: asmtp 587 - quickie faq submission"
- In reply to: firstname.lastname@example.org: "Re: jail() House Rock"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 10 Sep 2002 16:25:42 +0200 From: Nomad <email@example.com> To: firstname.lastname@example.org
So, you are wrong and I have to correct you.
To read a file in way you described user has to have x permission to all subdirectories and x permission to executable file.
We assume, that you have x permission to executable, but for root directory of jail you don't.
On Mon, Sep 09, 2002 at 08:49:34AM -0600, email@example.com wrote:
> > A reasonable solution is to block access to the jailed filesystems
> > from non-jailed accounts. Just do the following:
> > install -m u=rwx,go= -d /usr/fence
> > install -d /usr/fence/jail
> > Then use the fenced off directory as your jail root. We are
> > successfully running desktops with multiple developer jails in this sort of
> > configuration and things work great. This exclued anyone but root from
> > using suid binaries from a jail, and well, root's already root.
> Er, I don't believe this solves the issue. If the user knows the full path
> from the host system to the suid binary s/he created in the jail, s/he can
> access it directly as a regular use in the host environment. Ie., typing
> Please correct me if I'm wrong or if I've misunderstood.
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message