security.bsd.see_other_uids for jails
Anatoli Klassen
anatoli at aksoft.net
Mon May 29 07:39:04 PDT 2006
David Malone wrote:
> On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:
>> if security.bsd.see_other_uids is set to 0, users from the main system
>> can still see processes from jails if they have (by accident) the save uid.
>>
>> For me it's wrong behavior because the main system and the jail are two
>> different systems where uids are independent.
>
> You could try the following (untested) patch to the MAC seeotheruid
> module. You'd need to compile a kernel with the MAC option and then:
>
Thanks for the patch, maybe I'll need something like that for my
environment.
But my question is if it's really intended that jail is not real virtual
system but just a way to limit interaction from jail to host and not
vice versa.
If it's the case than this has to be specified in jail(8).
Regards,
Anatoli
More information about the freebsd-hackers
mailing list