Thoughts on jail privilege (FAQ submission)
Snuggles
snuggles at w00ttech.com
Thu Jan 15 10:15:21 PST 2009
The best practice that I've been following is to not offer any
services on the host install and do not allow users to login to the
host. The only accounts on the host are root, and my admin user.
On Thu, Jan 15, 2009 at 9:09 AM, Chris Rees <utisoft at googlemail.com> wrote:
> Hey all,
>
> I think that there should be a warning (on the jail man page or
> handbook page perhaps), on setuid in jails. Ex:
>
> John <-- user on the (host) server
>
> I give John root access to a jail (just for him to play with), and he
> then sets vi (for example) to setuid root. He then sshs into the host,
> and uses
>
> $ /usr/jail/johnsandbox/usr/bin/vi /usr/local/etc/sudoers
>
> He now has root!
>
> Am I completely thick not to have noticed this, or should there be a
> warning about people being allowed to have root in a jail where they
> have unprivileged access to the host? Or have I missed the point of a
> jail?
>
> Regards
>
> Chris
> --
> R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf)
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list