unprivileged users are able to kill certain jailed processes
Julian Elischer
julian at elischer.org
Mon Feb 6 13:24:18 PST 2006
Chad Leigh -- Shire.Net LLC wrote:
>
> On Feb 6, 2006, at 1:29 PM, Björn König wrote:
>
>> Andre Oppermann schrieb:
>>
>>> [...] If you have normal users on the host and
>>> have jails under the same user id then, yea, tough luck. You're not
>>> supposed to do that. [...]
>>
>>
>> Yes, I can prevent from overlapping UIDs, but how to prevent from
>> that if host administrator and jail administrator are two
>> independent parties? It requires much more carefulness and precautions.
>
>
> Well, the host admin, when detailing services and responsibilities to
> the jail admin (I have a similar situation), can tell the jail admin
> which range of UIDs to use for new users. I typically use the last
> byte of the IP address * 100 as the base.
>
> Eg, say a jail is 192.168.1.100 then they can start with 10000 as a
> UID and go up to 10100.
>
> Additionally, the host should ideally have no users but the bare
> minimum for the admin. All the "host"-based users and services
> should ideally be in their own jail.
Genrally at Vicor, we had a rule that either all users were in jails, or
none were..
A Jail server wasn't considered part of the resources available to
users, only the jails themselves.
>
> And if you can use a common base jail install mounted read only
> inside each jail, you will greatly increase security of the jails as
> exploits that replace system binaries will fail.
>
> gruss aus utah
> Chad
>
>
> ---
> Chad Leigh -- Shire.Net LLC
> Your Web App and Email hosting provider
> chad at shire.net
>
>
>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to
> "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list