Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)

On Tue, 10 May 2011, Bakul Shah wrote:

Dumb question: the jail command can refuse to run unless the
parent of a jail root is 0700. Would that work? No kernel hack

I do not think that this should be enforced in kernel, in the jail(8)
command nor anywhere else. UNIX rm(1) is not opening a pop-up window
asking "are you sure?" if you do "rm -rf /". The OS should not
impose arbitrary restrictions based on some random assumptions on
how a particular OS facility is going to be used.

I can easily think of several scenarios where such a restriction
would cause more trouble than benefit. One example: I might have
zero unprivileged users in the jail host (thus the restriction would
be unnecessary). I need to run a cron job in the jail host which
updates some data within the jails. I rather not do this as root
but instead use a separate non-root user for the purpose (as it is
generally a good practice to run everything as non-root unless it
is really necessary to be root). The proposed restriction would
defeat this possibility and force me to run all jail-related tasks
as root in the jail host, which might open it up to some other
potential security issues.

This should go in to the documentation as a recommendation for some
common jail use cases, but seriously, really not in the code, please.

In UNIX we do not want to prevent people from shooting themselves
in the foot. We should assume that the system administrator knows
what they want and should not restrict their freedom to do so.

Just my thoughts,
Janne Snabb / EPIPE Communications
snabb@xxxxxxxxx -
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"