Re: jail() House Rock

From: Nomad (mailman@crypton.pl)
Date: 09/10/02


Date: Tue, 10 Sep 2002 16:25:42 +0200
From: Nomad <mailman@crypton.pl>
To: freebsd-security@freebsd.org

So, you are wrong and I have to correct you.
To read a file in way you described user has to have x permission to all subdirectories and x permission to executable file.
We assume, that you have x permission to executable, but for root directory of jail you don't.

On Mon, Sep 09, 2002 at 08:49:34AM -0600, bsd@xtremedev.com wrote:
> > A reasonable solution is to block access to the jailed filesystems
> > from non-jailed accounts. Just do the following:
> >
> > install -m u=rwx,go= -d /usr/fence
> > install -d /usr/fence/jail
> >
> > Then use the fenced off directory as your jail root. We are
> > successfully running desktops with multiple developer jails in this sort of
> > configuration and things work great. This exclued anyone but root from
> > using suid binaries from a jail, and well, root's already root.
>
> Er, I don't believe this solves the issue. If the user knows the full path
> from the host system to the suid binary s/he created in the jail, s/he can
> access it directly as a regular use in the host environment. Ie., typing
> in:
>
> /usr/fence/jail/usr/home/baduser/bin/rootshell
>
> Please correct me if I'm wrong or if I've misunderstood.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: jail() House Rock
    ... > using suid binaries from a jail, and well, root's already root. ... from the host system to the suid binary s/he created in the jail, ...
    (FreeBSD-Security)
  • Re: getaffinity/setaffinity and cpu sets.
    ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... One place I'd like to implement CPU affinity is in the Sun Grid Engine ...
    (freebsd-arch)
  • Re: getaffinity/setaffinity and cpu sets.
    ... The notion would be that you can create a new numbered cpuset with cpuset. ... You can modify or inspect its affinity with get/setaffinity above and the CPU_WHICH_SET argument. ... This set would not be modifiable by user processes or by processes in a jail. ... Another option would be to expel the offending thread from the set that is in violation and reparent it to the real system root along with a syslog message or similar. ...
    (freebsd-arch)
  • Re: getaffinity/setaffinity and cpu sets.
    ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... be allocated a set of cpus that they can't change, ...
    (freebsd-arch)
  • RE: Does Scandisk MSG indicate Hardware, Application, or OS Issue? - R
    ... it is hard to find the root cause since the problem disappeared ... Based on my research, there are several reasons why the tab is missing, ... permission on the registry key ...
    (microsoft.public.windows.file_system)