jails and mac_seeotheruids problems in 6-STABLE
Robert Watson
rwatson at FreeBSD.org
Tue Sep 30 16:16:40 UTC 2008
On Tue, 30 Sep 2008, George Mamalakis wrote:
> It works like a charm! Thank you very much for your time and help,
No problem -- I've gone ahead and committed that change to stable/6. If
you're able to test 6.4RC1 when it comes out to confirm that the fix works
there as desired, that would be most helpful.
Thanks,
Robert N M Watson
Computer Laboratory
University of Cambridge
>
> regards,
>
>
> Robert Watson wrote:
>>
>> On Tue, 30 Sep 2008, George Mamalakis wrote:
>>
>>> I have 3 servers in my lab. 2 of them are running 6-STABLE and one of them
>>> is running 7-STABLE. All three have services running in jails. I noticed a
>>> very peculiar behavior in 6-STABLE when I set the sysctl
>>> security.mac.seeotheruids.enabled=1. The root user in my jails was not
>>> able to see processes and sockets owned by other users of the same jail,
>>> whereas the root user of the host system could see every process (thank
>>> the Almighty). The same behavior does not apply on the server running
>>> 7-STABLE.
>>>
>>> In one sense it is more secure, since the root user in a jail is not as
>>> "strong" as the root user should be in a UNIX system. On the other hand,
>>> the root user looses its purpose of existence, which I suppose is a bug.
>>>
>>> Below are the security.mac sysctl settings of both 6 and 7-STABLE:
>>
>> Could you try modifying
>> src/sys/security/mac_seeotheruids/mac_seeotheruids.c in a 6.x tree so that
>> the call to suser_cred() in mac_seeotheruids_check() passes the
>> SUSER_ALLOWJAIL flag rather than 0? This may correct the problem you're
>> experiencing. Let me know and I can merge that change to 6.x.
>>
>> Robert N M Watson
>> Computer Laboratory
>> University of Cambridge
>>
>>>
>>> 6-STABLE:
>>>
>>> security.mac.max_slots: 4
>>> security.mac.enforce_network: 1
>>> security.mac.enforce_pipe: 1
>>> security.mac.enforce_posix_sem: 1
>>> security.mac.enforce_suid: 1
>>> security.mac.mmap_revocation_via_cow: 0
>>> security.mac.mmap_revocation: 1
>>> security.mac.enforce_vm: 1
>>> security.mac.enforce_process: 1
>>> security.mac.enforce_socket: 1
>>> security.mac.enforce_system: 1
>>> security.mac.enforce_kld: 1
>>> security.mac.enforce_sysv_msg: 1
>>> security.mac.enforce_sysv_sem: 1
>>> security.mac.enforce_sysv_shm: 1
>>> security.mac.enforce_fs: 1
>>> security.mac.seeotheruids.specificgid: 0
>>> security.mac.seeotheruids.specificgid_enabled: 0
>>> security.mac.seeotheruids.primarygroup_enabled: 0
>>> security.mac.seeotheruids.enabled: 1
>>> security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443
>>> security.mac.portacl.port_high: 1023
>>> security.mac.portacl.autoport_exempt: 1
>>> security.mac.portacl.suser_exempt: 1
>>> security.mac.portacl.enabled: 1
>>>
>>>
>>> 7-STABLE:
>>>
>>> security.mac.max_slots: 4
>>> security.mac.version: 3
>>> security.mac.mmap_revocation_via_cow: 0
>>> security.mac.mmap_revocation: 1
>>> security.mac.seeotheruids.specificgid: 0
>>> security.mac.seeotheruids.specificgid_enabled: 0
>>> security.mac.seeotheruids.suser_privileged: 1
>>> security.mac.seeotheruids.primarygroup_enabled: 0
>>> security.mac.seeotheruids.enabled: 1
>>>
>>> I would be very glad if someone could inform me whether I am doing
>>> something wrong; if not I think I should inform FreeBSD about this bug.
>>>
>>> Thank you guys in advance,
>>>
>>> --
>>> George Mamalakis
>>>
>>> IT Officer
>>> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
>>> MSc (Imperial College of London)
>>>
>>> Department of Electrical and Computer Engineering
>>> Faculty of Engineering
>>> Aristotle University of Thessaloniki
>>>
>>> phone number : +30 (2310) 994379
>>>
>>> _______________________________________________
>>> freebsd-stable at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>>>
>
> --
> George Mamalakis
>
> IT Officer
> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
> MSc (Imperial College of London)
>
> Department of Electrical and Computer Engineering
> Faculty of Engineering
> Aristotle University of Thessaloniki
>
> phone number : +30 (2310) 994379
>
>
More information about the freebsd-stable
mailing list