Re: Need advice: Better Jail integration into ps/top, setpwfile gone forever?

From: Jamie Landeg-Jones <jamie_at_catflap.org>
Date: Thu, 26 Aug 2021 02:09:29 +0100
I have no specific answer to your questions, but just a few thoughts:

As a policy, I allocate a uid/gid range to the jails that are unused on the host.
I only do it with user accounts, servers/daemons are left as they are. (though
ideally they would be changed too)

To improve on this, I think a per-jail configurable "uid" and "gid" offset would
seem a good idea, so for instance, if you set jail_uid_increment = 10000 then
anything with uid "0" in the jail would actually be running under uid 10,000 but
the jail would translate the uid/gid on the fly inside the jail. That would help
when the jails are administered by other people who you can't guarantee will follow
your policy.

Having a jail uid/gid being used by a host user/group can cause other problems:

- Any user on the host must be trusted, because they have access to processes
  running under the jail that use their uid.

- Even if you patch ps and top, the issue you cite could come back to bite in the
- future in other ways (How can a non jail-aware program grok this response if a
- username exists in the host and the jail, but with different uid's? (the same
- principle applies to groups too))

Finally, if you do proceed with this, do you think it would be a good idea to
prefix the result with the jail number?

I.E. In your case, something like "1:antranigv"

Just a few thoughts, it will be interesting to see how you progress, as this
was something that bugged me when I was managing jails.

Cheers, Jamie
Received on Thu Aug 26 2021 - 01:09:29 UTC

Original text of this message