Call for a hacker.... security.bsd.see_other_uids in jails only
Drew Broadley
drew at corrupt.co.nz
Fri May 21 05:32:35 PDT 2004
Pawel Jakub Dawidek wrote:
>On Thu, May 20, 2004 at 11:01:45PM +0100, Josef Karthauser wrote:
>+> I was wondering whether someone might help me out.
>+>
>+> There's a couple of sysctls in -current:
>+>
>+> security.bsd.see_other_uids: 1
>+> security.bsd.see_other_gids: 1
>+>
>+> These effectively allow one to prevent users from spying on each
>+> other.
>+>
>+> What I need to do is to disable these within jails, but not in the
>+> host enviroment. The reason I need this is that I'm running the
>+> FreeBSD election on a box of mine, but I don't want to have to clear
>+> these globally.
>+>
>+> Would someone have the time to hack me a patch to do this? It doesn't
>+> have to be clean, although evenually I'd like to see something like
>+> this committed to freebsd operating on a sysctl.
>
>Implementation wouldn't be probably too hard, but I can't agree it should
>be committed. We need to know where jail's virtualization ends and I think
>it is too far. Of course it will be cool to have those sysctl on per-jail
>basics, as well as others from security.bsd. tree
>(like security.bsd.suser_enabled), but I'm not sure this is the right way
>to go.
>
>Any other opinions? If someone convince me we should do it, I can do it.
>
>
Surely this persons requirements are far and beyond what chroot (jail)
has to offer.
If they want the ability to change sysctl values per jail, why not just
set up virtual machines per user ? Surely this would give him the
flexibility he needs and the pure security of users not seeing other
users jails ?
That's my two cent's, and it saves a lot of unnecessary hard work.
- Drew
More information about the freebsd-current
mailing list