GSoC Idea: per-process filesystem namespaces for FreeBSD

Theron Tarigo theron.tarigo at gmail.com
Tue Mar 13 21:41:32 UTC 2018 

Hi Kristoffer,

That will of course need to be worked out, since it is the classic 
safety problem  of chroot.  The first idea I can think of is that any 
user-switching (i.e. executing setuid files) resets the namespace, 
similarly to "su - " resetting the environment variables by way of 
simulating a new login.  Maybe it will not work out to be so simple, as 
I can see there will be a lot of research ahead for me, but I feel 
strongly that it will not be insurmountable.  If I implement this as a 
special filesystem rather than as a modification to the vfs, it can be 
as simple as not allowing any setuid, as with the "nosuid" option of 
existing filesystems.

As I understand it, Plan9 uses namespaces so thoroughly that a superuser 
is not needed and all restrictions of privilege are accomplished through 
launching "unprivileged" processes into a namespace that contains only 
the resources that user should have access to.  While this may make 
sense within Plan9, it is sufficiently alien to the Unix ways of 
handling security that I don't think it makes any sense to try to do 
things this way on FreeBSD.  There will probably always be security 
risks associated with anything running as uid 0 regardless of 
restrictions to its environment.*  What I am trying to accomplish is to 
stay roughly within the Unix model but to provide a layer of flexibility 
appropriate for addressing a specific need, and the solution I have in 
mind happens to parallel a Plan9 concept.

Theron


* """
      In addition, there are several ways in which an unprivileged user 
outside
      the jail can cooperate with a privileged user inside the jail and 
thereby
      obtain elevated privileges in the host environment.
""" - JAIL(8) manual

On 03/13/18 15:55, Kristoffer Eriksson wrote:
> On 13 Mar 2018 12:53:18, Theron <theron.tarigo at gmail.com> wrote:
>> For those unfamiliar with Plan9, here is a rough explanation of the
>> namespace feature: unlike in Unix, where all processes share the same
>> virtual filesystem, each process instead has its own view of the
>> filesystem according to what has been mounted ...
> What if I mount a new /etc with a passwd file where root has no
> password, and then run "su"?
>
> (How does Plan9 handle that?)
>
> Regards/Kristoffer Eriksson

More information about the freebsd-hackers mailing list