jail and chflags [patch]
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sat May 15 10:52:20 PDT 2004
On Fri, May 14, 2004 at 05:25:16PM -0700, Julian Elischer wrote:
+>
+> I have several situations where I use jails, but I also need to allow
+> processes to do 'chflags'.
+> I trust these jailed processes, as I'm using jails to allow different
+> versions of the same software to run, rather than to isolate untrusted
+> users from each other...
+>
+> More confusingly it seems that chflags IS allowed in -current jails
+> despite the fact that teh comments say they are not..
+>
+> At the bottom is a patch I propose (releative to 4.8 which I
+> use in production) for allowing a sysctl that decides whether
+> chflags is permitted in a jail..
+>
+> However, in -current the same code is:
+> /*
+> * Unprivileged processes and privileged processes in
+> * jail() are not permitted to unset system flags, or
+> * modify flags if any system flags are set.
+> * Privileged non-jail processes may not modify system flags
+> * if securelevel > 0 and any existing system flags are set.
+> */
+> if (!suser_cred(cred, PRISON_ROOT)) {
+> if (ip->i_flags
+> & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
+> error = securelevel_gt(cred, 0);
+> if (error)
+> return (error);
+> }
+> [...]
+> } else {
+> [...]
+>
+> which to me is confusing because suser_cred(cred, PRISON_ROOT)
+> should return 0 for a jailed root and thus allow it...
+> despite what the coment says.
+> "man 9 suser" says that the PRISON_ROOT flag should be used to ALLOW
+> root privs in a jail. (and the code seems to agree)
+>
+> in fact experimentation in -current shows this to be correct..
+> in a jail:
+>
+> xxx# chflags noschg libthr.so.1
+> xxx# ls -lo libthr.so.1
+> -r--r--r-- 1 root wheel - 611568 May 15 00:02 libthr.so.1
+> xxx# chflags schg libthr.so.1
+> xxx# ls -lo libthr.so.1
+> -r--r--r-- 1 root wheel schg 611568 May 15 00:02 libthr.so.1
+> xxx#
+>
+> comments? yeahs? neys?
Whoa! This looks very serious.
I agree with your fix, but few words about patch:
1. We should first commit it to -CURRENT.
2. We should also fix extfs2.
3. Maybe we rename sysctl name to
security.jail.allow_system_flags_modifications?
Not too short, but it isn't UFS-specific and I'll be glad if we keep
all jail-related sysctls in security.jail. tree.
What's your opinion about my patch?
http://people.freebsd.org/~pjd/patches/jail2.patch
--
Pawel Jakub Dawidek http://www.FreeBSD.org
pjd at FreeBSD.org http://garage.freebsd.pl
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040515/35a91902/attachment.bin
More information about the freebsd-current
mailing list