unprivileged users are able to kill certain jailed processes
Chad Leigh -- Shire.Net LLC
chad at shire.net
Mon Feb 6 13:14:23 PST 2006
On Feb 6, 2006, at 1:29 PM, Björn König wrote:
> Andre Oppermann schrieb:
>
>> [...] If you have normal users on the host and
>> have jails under the same user id then, yea, tough luck. You're not
>> supposed to do that. [...]
>
> Yes, I can prevent from overlapping UIDs, but how to prevent from
> that if host administrator and jail administrator are two
> independent parties? It requires much more carefulness and
> precautions.
Well, the host admin, when detailing services and responsibilities to
the jail admin (I have a similar situation), can tell the jail admin
which range of UIDs to use for new users. I typically use the last
byte of the IP address * 100 as the base.
Eg, say a jail is 192.168.1.100 then they can start with 10000 as a
UID and go up to 10100.
Additionally, the host should ideally have no users but the bare
minimum for the admin. All the "host"-based users and services
should ideally be in their own jail.
And if you can use a common base jail install mounted read only
inside each jail, you will greatly increase security of the jails as
exploits that replace system binaries will fail.
gruss aus utah
Chad
---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net
More information about the freebsd-current
mailing list