security.bsd.see_other_uids for jails
Robert Watson
rwatson at FreeBSD.org
Mon May 29 10:47:42 PDT 2006
On Mon, 29 May 2006, Anatoli Klassen wrote:
> David Malone wrote:
>> On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:
>>> if security.bsd.see_other_uids is set to 0, users from the main system can
>>> still see processes from jails if they have (by accident) the save uid.
>>>
>>> For me it's wrong behavior because the main system and the jail are two
>>> different systems where uids are independent.
>>
>> You could try the following (untested) patch to the MAC seeotheruid
>> module. You'd need to compile a kernel with the MAC option and then:
>
> Thanks for the patch, maybe I'll need something like that for my
> environment.
>
> But my question is if it's really intended that jail is not real virtual
> system but just a way to limit interaction from jail to host and not vice
> versa.
>
> If it's the case than this has to be specified in jail(8).
Yes, this is a documentation bug. It is more precise to think of jail as a
subsetting service than a virtualizing service: processes in jails see a
subset of the system resources, rather than virtualized versions. So, for
example, they see a subset of the file system name space, a subset of the
IP/port name space, a subset of the process list, etc. This means that
applications in the "host" environment overlap with the jail environments by
virtue of also having access to that subset, as they can directly name files
in the file system subset, IP and port bindings, processes, and so on. This
does appear unclear from a quick skim of the man page, so something on the
order of the above, with practical suggestions on what this implies, is
required in the page.
Robert N M Watson
More information about the freebsd-hackers
mailing list