Re: Need advice: Better Jail integration into ps/top, setpwfile gone forever?
- In reply to: antranigv : "Need advice: Better Jail integration into ps/top, setpwfile gone forever?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 26 Aug 2021 01:09:29 UTC
I have no specific answer to your questions, but just a few thoughts: As a policy, I allocate a uid/gid range to the jails that are unused on the host. I only do it with user accounts, servers/daemons are left as they are. (though ideally they would be changed too) To improve on this, I think a per-jail configurable "uid" and "gid" offset would seem a good idea, so for instance, if you set jail_uid_increment = 10000 then anything with uid "0" in the jail would actually be running under uid 10,000 but the jail would translate the uid/gid on the fly inside the jail. That would help when the jails are administered by other people who you can't guarantee will follow your policy. Having a jail uid/gid being used by a host user/group can cause other problems: - Any user on the host must be trusted, because they have access to processes running under the jail that use their uid. - Even if you patch ps and top, the issue you cite could come back to bite in the - future in other ways (How can a non jail-aware program grok this response if a - username exists in the host and the jail, but with different uid's? (the same - principle applies to groups too)) Finally, if you do proceed with this, do you think it would be a good idea to prefix the result with the jail number? I.E. In your case, something like "1:antranigv" Just a few thoughts, it will be interesting to see how you progress, as this was something that bugged me when I was managing jails. Cheers, Jamie