/dev/pts/0 in a jail shows no one is observing from outer prison.

[Julian H. Stacey]

Hi freebsd-jail at freebsd.org, freebsd-security at freebsd.org
cc: np at bsn.com

I noticed something within a jail that seems a little slack:

  A ssh to a jail followed by Who, if it shows just pts/0, shows
  no one else is logged in { within jail And Also Outer Prison
  [And presumably also other parallel jails] }.

  (OK Yes, an admin might be logged in to prison on on a direct
   wire or ttyv but most unlikely in the common case of a remote
   server farm)

  So the person logging in to the jail is effectively told "Owner
  of the prison is also absent, now is a good time to try exploits."

  Ideally within a jail, logins would get no indication if the
  prison & other jails were were logged in or not.

  (OK, Yes, one might argue on a traditional non prison & jails
  server, one can also see who is, or not, logged in on one large
  common system, but presumably one benefit of putting users in
  jails should be the jailed should no longer see presence of outside
  users ?)
  
Is it viable to tighten the default ?  
man jail has:  devfs_ruleset zero (default)
I was using a jail created by ezjail. 
The outer prison (names obfuscated)    mount | grep dev
	devfs on /dev (devfs, local, multilabel)
	devfs on /tank4/ezjail/jail1.org/dev (devfs, local, multilabel)
	fdescfs on /tank4/ezjail/jail1.org/dev/fd (fdescfs)
	devfs on /tank4/ezjail/jail2.org/dev (devfs, local, multilabel)
	fdescfs on /tank4/ezjail/jail2.org/dev/fd (fdescfs)

Why I noticed:
	 My DSL link timed out, ( no sshd with TCPKeepAlive=Yes, &
	 failed ping -i 120 -q my-isp.de ) Within jail, after who
	 & ps -t to kill junk, new logins persisted at pts/1, not pts/0.

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.