security.bsd.see_other_uids for jails
Anatoli Klassen
anatoli at aksoft.net
Sun May 28 07:39:41 PDT 2006
joerg at britannica.bec.de wrote:
> On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:
>> Hi All,
>>
>> if security.bsd.see_other_uids is set to 0, users from the main system
>> can still see processes from jails if they have (by accident) the save uid.
>>
>> For me it's wrong behavior because the main system and the jail are two
>> different systems where uids are independent.
>
> Sorry but you have far bigger security problems if you create such a
> setup. E.g. "users" from the outer system can ptrace the processes in
> the jail with the same uid.
>
But ptrace uses the same function p_cansee for security check.
Does it mean than "outer" user is more privileged as "jailed" root? Is
it intended?
Regards,
Anatoli
More information about the freebsd-hackers
mailing list