jails and mac_seeotheruids problems in 6-STABLE

Robert Watson rwatson at FreeBSD.org
Tue Sep 30 16:16:40 UTC 2008 

On Tue, 30 Sep 2008, George Mamalakis wrote:

> It works like a charm! Thank you very much for your time and help,

No problem -- I've gone ahead and committed that change to stable/6.  If 
you're able to test 6.4RC1 when it comes out to confirm that the fix works 
there as desired, that would be most helpful.

Thanks,

Robert N M Watson
Computer Laboratory
University of Cambridge

>
> regards,
>
>
> Robert Watson wrote:
>> 
>> On Tue, 30 Sep 2008, George Mamalakis wrote:
>> 
>>> I have 3 servers in my lab. 2 of them are running 6-STABLE and one of them 
>>> is running 7-STABLE. All three have services running in jails. I noticed a 
>>> very peculiar behavior in 6-STABLE when I set the sysctl 
>>> security.mac.seeotheruids.enabled=1. The root user in my jails was not 
>>> able to see processes and sockets owned by other users of the same jail, 
>>> whereas the root user of the host system could see every process (thank 
>>> the Almighty). The same behavior does not apply on the server running 
>>> 7-STABLE.
>>> 
>>> In one sense it is more secure, since the root user in a jail is not as 
>>> "strong" as the root user should be in a UNIX system. On the other hand, 
>>> the root user looses its purpose of existence, which I suppose is a bug.
>>> 
>>> Below are the security.mac sysctl settings of both 6 and 7-STABLE:
>> 
>> Could you try modifying 
>> src/sys/security/mac_seeotheruids/mac_seeotheruids.c in a 6.x tree so that 
>> the call to suser_cred() in mac_seeotheruids_check() passes the 
>> SUSER_ALLOWJAIL flag rather than 0?  This may correct the problem you're 
>> experiencing.  Let me know and I can merge that change to 6.x.
>> 
>> Robert N M Watson
>> Computer Laboratory
>> University of Cambridge
>> 
>>> 
>>> 6-STABLE:
>>> 
>>> security.mac.max_slots: 4
>>> security.mac.enforce_network: 1
>>> security.mac.enforce_pipe: 1
>>> security.mac.enforce_posix_sem: 1
>>> security.mac.enforce_suid: 1
>>> security.mac.mmap_revocation_via_cow: 0
>>> security.mac.mmap_revocation: 1
>>> security.mac.enforce_vm: 1
>>> security.mac.enforce_process: 1
>>> security.mac.enforce_socket: 1
>>> security.mac.enforce_system: 1
>>> security.mac.enforce_kld: 1
>>> security.mac.enforce_sysv_msg: 1
>>> security.mac.enforce_sysv_sem: 1
>>> security.mac.enforce_sysv_shm: 1
>>> security.mac.enforce_fs: 1
>>> security.mac.seeotheruids.specificgid: 0
>>> security.mac.seeotheruids.specificgid_enabled: 0
>>> security.mac.seeotheruids.primarygroup_enabled: 0
>>> security.mac.seeotheruids.enabled: 1
>>> security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443
>>> security.mac.portacl.port_high: 1023
>>> security.mac.portacl.autoport_exempt: 1
>>> security.mac.portacl.suser_exempt: 1
>>> security.mac.portacl.enabled: 1
>>> 
>>> 
>>> 7-STABLE:
>>> 
>>> security.mac.max_slots: 4
>>> security.mac.version: 3
>>> security.mac.mmap_revocation_via_cow: 0
>>> security.mac.mmap_revocation: 1
>>> security.mac.seeotheruids.specificgid: 0
>>> security.mac.seeotheruids.specificgid_enabled: 0
>>> security.mac.seeotheruids.suser_privileged: 1
>>> security.mac.seeotheruids.primarygroup_enabled: 0
>>> security.mac.seeotheruids.enabled: 1
>>> 
>>> I would be very glad if someone could inform me whether I am doing 
>>> something wrong; if not I think I should inform FreeBSD about this bug.
>>> 
>>> Thank you guys in advance,
>>> 
>>> -- 
>>> George Mamalakis
>>> 
>>> IT Officer
>>> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
>>> MSc (Imperial College of London)
>>> 
>>> Department of Electrical and Computer Engineering
>>> Faculty of Engineering
>>> Aristotle University of Thessaloniki
>>> 
>>> phone number : +30 (2310) 994379
>>> 
>>> _______________________________________________
>>> freebsd-stable at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>>> 
>
> -- 
> George Mamalakis
>
> IT Officer
> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
> MSc (Imperial College of London)
>
> Department of Electrical and Computer Engineering
> Faculty of Engineering
> Aristotle University of Thessaloniki
>
> phone number : +30 (2310) 994379
>
>

More information about the freebsd-stable mailing list