jails and mac_seeotheruids problems in 6-STABLE

Robert Watson rwatson at FreeBSD.org
Tue Sep 30 09:42:10 UTC 2008


On Tue, 30 Sep 2008, George Mamalakis wrote:

> I have 3 servers in my lab. 2 of them are running 6-STABLE and one of them 
> is running 7-STABLE. All three have services running in jails. I noticed a 
> very peculiar behavior in 6-STABLE when I set the sysctl 
> security.mac.seeotheruids.enabled=1. The root user in my jails was not able 
> to see processes and sockets owned by other users of the same jail, whereas 
> the root user of the host system could see every process (thank the 
> Almighty). The same behavior does not apply on the server running 7-STABLE.
>
> In one sense it is more secure, since the root user in a jail is not as 
> "strong" as the root user should be in a UNIX system. On the other hand, the 
> root user looses its purpose of existence, which I suppose is a bug.
>
> Below are the security.mac sysctl settings of both 6 and 7-STABLE:

Could you try modifying src/sys/security/mac_seeotheruids/mac_seeotheruids.c 
in a 6.x tree so that the call to suser_cred() in mac_seeotheruids_check() 
passes the SUSER_ALLOWJAIL flag rather than 0?  This may correct the problem 
you're experiencing.  Let me know and I can merge that change to 6.x.

Robert N M Watson
Computer Laboratory
University of Cambridge

>
> 6-STABLE:
>
> security.mac.max_slots: 4
> security.mac.enforce_network: 1
> security.mac.enforce_pipe: 1
> security.mac.enforce_posix_sem: 1
> security.mac.enforce_suid: 1
> security.mac.mmap_revocation_via_cow: 0
> security.mac.mmap_revocation: 1
> security.mac.enforce_vm: 1
> security.mac.enforce_process: 1
> security.mac.enforce_socket: 1
> security.mac.enforce_system: 1
> security.mac.enforce_kld: 1
> security.mac.enforce_sysv_msg: 1
> security.mac.enforce_sysv_sem: 1
> security.mac.enforce_sysv_shm: 1
> security.mac.enforce_fs: 1
> security.mac.seeotheruids.specificgid: 0
> security.mac.seeotheruids.specificgid_enabled: 0
> security.mac.seeotheruids.primarygroup_enabled: 0
> security.mac.seeotheruids.enabled: 1
> security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443
> security.mac.portacl.port_high: 1023
> security.mac.portacl.autoport_exempt: 1
> security.mac.portacl.suser_exempt: 1
> security.mac.portacl.enabled: 1
>
>
> 7-STABLE:
>
> security.mac.max_slots: 4
> security.mac.version: 3
> security.mac.mmap_revocation_via_cow: 0
> security.mac.mmap_revocation: 1
> security.mac.seeotheruids.specificgid: 0
> security.mac.seeotheruids.specificgid_enabled: 0
> security.mac.seeotheruids.suser_privileged: 1
> security.mac.seeotheruids.primarygroup_enabled: 0
> security.mac.seeotheruids.enabled: 1
>
> I would be very glad if someone could inform me whether I am doing something 
> wrong; if not I think I should inform FreeBSD about this bug.
>
> Thank you guys in advance,
>
> -- 
> George Mamalakis
>
> IT Officer
> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
> MSc (Imperial College of London)
>
> Department of Electrical and Computer Engineering
> Faculty of Engineering
> Aristotle University of Thessaloniki
>
> phone number : +30 (2310) 994379
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>


More information about the freebsd-stable mailing list