UNIX domain sockets on nullfs still broken?

Julian Elischer julian at elischer.org
Wed Dec 2 17:43:22 UTC 2009 

Alexander Leidinger wrote:
> Quoting Linda Messerschmidt <linda.messerschmidt at gmail.com> (from Tue, 1 
> Dec 2009 10:22:02 -0500):
> 
>> On Mon, Nov 30, 2009 at 10:14 AM, Ivan Voras <ivoras at freebsd.org> wrote:
>>>> What's the sane solution, then, when the only method of communication
>>>> is unix domain sockets?
>>>
>>> It is a security problem. I think the long-term solution would be to 
>>> add a
>>> sysctl analogous to security.jail.param.securelevel to handle this.
>>
>> Out of curiosity, why is allowing accessing to a Unix domain socket in
>> a filesystem to which a jail has explicitly been allowed access more
>> or less secure than allowing access to a file or a devfs node in a
>> filesystem to which a jail has explicitly been allowed access?
> 
> Answer A: There is no difference.
> 
> Answer B: You open up a direct communication channel between two 
> systems, which may not have been able to communicate before (firewall 
> rules, ...). With files you can do something similar too, but having a 
> socket there makes it more easy and you do not need to write extra code. 
> It is similar to enabling SHM access in jails (currently all jails share 
> the same SHM area). And depending on the application with the socket, 
> you may be able to change files on the other side, to which you do not 
> have access to otherwise (think about a daemon which changes passwords...).

I have used chroots and jails in a way that relies on the ability of a
shared unix domain pipe being usable to communicate between them, and
I also see why it may not be good.

I suggest that the ability to do so might be somehow controllable by
the jail creator in some way.

> 
> Answer A is good if you control what is run where and how, and if you 
> use jails for easy data migration and program separation (lightweight 
> virtualization).
> 
> Answer B is valid if you are an ISP which rents jails (in this case you 
> do not share a FS read-write anyway (at leat you shouldn't) and the 
> point does not really matter).
> 
> Pick the answer depending on your viewpoint / security requirements and 
> the software you are using.
> 
> As both points are valid, we should provide the possibility to have both 
> situations working.

yes please.
  A sysctl would do at a pinch, but maybe a per-jail setting might be 
possible too.


> 
> Bye,
> Alexander.
>

More information about the freebsd-hackers mailing list