Thoughts on jail privilege (FAQ submission)

Chris Rees utisoft at googlemail.com
Sat Jan 17 04:01:40 PST 2009 

---------- Forwarded message ----------
From: Chris Rees <utisoft at googlemail.com>
Date: 2009/1/17
Subject: Re: Thoughts on jail privilege (FAQ submission)
To: Jan Demter <jan-mailinglists at demter.de>


2009/1/17 Jan Demter <jan-mailinglists at demter.de>:
> Am 15.01.2009 um 19:31 schrieb Jon Passki:
>
>> Another thing to think about is user IDs.  You could have a user ID
>> in your host of 1001.  Your jail could have a completely different user
>> account, but collide on the user ID of 1001.  Your host user ID 1001 will
>> have access to those jail user ID 1001 files, unless you restrict a parent
>> directory.  That was the use case I came across and avoided.
>
> I do not think restricting directories will help you a lot against these
> attacks.
> User 1001 on the host has access to all running processes of user 1001 in
> the jail and should be able to simply inject code to read the files via
> debugging interfaces.
> As Snuggles said, best practice is to not allow access to the host to
> anyone. If you have to, you should avoid collisions of user IDs.
>
> Greetings
> Jan
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>

I find it quite strange that user 1001 can send signals to a jailed
process of UID 1001. Is that intentional, or would it be a *lot* of
working round to check the UID _and_ JID when signals are sent etc?

I appreciate that UID collisions should be avoided, but I also think
the documentation should cover these gotchas. The Handbook is
beautiful, and taught me FreeBSD from start to finish, so I don't
consider it an advanced-users only reference. I appreciate that jails
are quite advanced, but I do think the security concerns should be
listed. We all forget things :)

I might post to the doc list later to suggest this. I'll provide a
patch if necessary.

Chris

--
R< $&h ! > $- ! $+      $@ $2 < @ $1 .UUCP. > (sendmail.cf)



-- 
R< $&h ! > $- ! $+	$@ $2 < @ $1 .UUCP. > (sendmail.cf)

More information about the freebsd-security mailing list