unprivileged users are able to kill certain jailed processes

Chad Leigh -- Shire.Net LLC chad at shire.net
Mon Feb 6 13:29:00 PST 2006 

On Feb 6, 2006, at 2:24 PM, Julian Elischer wrote:

> Chad Leigh -- Shire.Net LLC wrote:
>
>>
>> On Feb 6, 2006, at 1:29 PM, Björn König wrote:
>>
>>> Andre Oppermann schrieb:
>>>
>>>> [...] If you have normal users on the host and
>>>> have jails under the same user id then, yea, tough luck.  You're  
>>>> not
>>>> supposed to do that. [...]
>>>
>>>
>>> Yes, I can prevent from overlapping UIDs, but how to prevent  
>>> from  that if host administrator and jail administrator are two   
>>> independent parties? It requires much more carefulness and   
>>> precautions.
>>
>>
>> Well, the host admin, when detailing services and responsibilities  
>> to  the jail admin (I have a similar situation), can tell the jail  
>> admin  which range of UIDs to use for new users.  I typically use  
>> the last  byte of the IP address * 100 as the base.
>>
>> Eg, say a jail is 192.168.1.100 then they can start with 10000 as  
>> a  UID and go up to 10100.
>>
>> Additionally, the host should ideally have no users but the bare   
>> minimum for the admin.  All the "host"-based users and services   
>> should ideally be in their own jail.
>
>
> Genrally at Vicor, we had a rule that either all users were in  
> jails, or none were..
> A Jail server wasn't considered part of the resources available to  
> users, only the jails themselves.

Exactly.  Our jail servers have a login account only for those admin  
personnel who need to admin the server itself.  It is ONLY accessible  
through certificate protected ssh (no passwords allowed) and no  
services run on the jail server itself, only services in jails, so  
the only open port on the jail server itself is the sshd one...

Best
Chad

>
>
>>
>> And if you can use a common base jail install mounted read only   
>> inside each jail, you will greatly increase security of the jails  
>> as  exploits that replace system binaries will fail.
>>
>> gruss aus utah
>> Chad
>>
>>
>> ---
>> Chad Leigh -- Shire.Net LLC
>> Your Web App and Email hosting provider
>> chad at shire.net
>>
>>
>>
>> _______________________________________________
>> freebsd-current at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to "freebsd-current- 
>> unsubscribe at freebsd.org"
>

---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net

More information about the freebsd-current mailing list