GSoC Idea: per-process filesystem namespaces for FreeBSD
Theron Tarigo
theron.tarigo at gmail.com
Tue Mar 13 21:41:32 UTC 2018
Hi Kristoffer,
That will of course need to be worked out, since it is the classic
safety problem of chroot. The first idea I can think of is that any
user-switching (i.e. executing setuid files) resets the namespace,
similarly to "su - " resetting the environment variables by way of
simulating a new login. Maybe it will not work out to be so simple, as
I can see there will be a lot of research ahead for me, but I feel
strongly that it will not be insurmountable. If I implement this as a
special filesystem rather than as a modification to the vfs, it can be
as simple as not allowing any setuid, as with the "nosuid" option of
existing filesystems.
As I understand it, Plan9 uses namespaces so thoroughly that a superuser
is not needed and all restrictions of privilege are accomplished through
launching "unprivileged" processes into a namespace that contains only
the resources that user should have access to. While this may make
sense within Plan9, it is sufficiently alien to the Unix ways of
handling security that I don't think it makes any sense to try to do
things this way on FreeBSD. There will probably always be security
risks associated with anything running as uid 0 regardless of
restrictions to its environment.* What I am trying to accomplish is to
stay roughly within the Unix model but to provide a layer of flexibility
appropriate for addressing a specific need, and the solution I have in
mind happens to parallel a Plan9 concept.
Theron
* """
In addition, there are several ways in which an unprivileged user
outside
the jail can cooperate with a privileged user inside the jail and
thereby
obtain elevated privileges in the host environment.
""" - JAIL(8) manual
On 03/13/18 15:55, Kristoffer Eriksson wrote:
> On 13 Mar 2018 12:53:18, Theron <theron.tarigo at gmail.com> wrote:
>> For those unfamiliar with Plan9, here is a rough explanation of the
>> namespace feature: unlike in Unix, where all processes share the same
>> virtual filesystem, each process instead has its own view of the
>> filesystem according to what has been mounted ...
> What if I mount a new /etc with a passwd file where root has no
> password, and then run "su"?
>
> (How does Plan9 handle that?)
>
> Regards/Kristoffer Eriksson
More information about the freebsd-hackers
mailing list