jexec as user?
Dewayne Geraghty
dewaynegeraghty at gmail.com
Tue Nov 19 21:04:24 UTC 2019
Good question Ronald.
A test - I can login to jail (b3) where I run apache as www user, so
# jexec -U www b3 /bin/tcsh
> whoami; id
www
uid=80(www) gid=80(www) groups=80(www)
Expected - good!
and I can, in the host
# su -m www -c "whoami; id"
www
uid=80(www) gid=80(www) groups=80(www)
Good - so my user exists in both host and jail. Though for your purposes
the host user could be anyone.
So we've demonstrated that I have an unpriv'ed user in both the host and
jailed context. But....
# /usr/bin/su -m www -c "jexec -U www b3 /usr/bin/whoami"
jexec: initgroups: www: Operation not permitted
So unless I/we can identify the cause of this, you're stuck Which
surprised me, as I typically run stuff in my jails using commands from the
host, like:
/usr/sbin/jexec -U www b3 /usr/local/sbin/httpd -f
/usr/local/etc/apache24/httpd.conf
Now to part 2 of your question. I do run sshd quite happily in the jails,
so that may be an option for you. (actually I use dropbear in situations
where I don't required the proper audit logs and its approx 50% of the sshd
resources ;))
More information about the freebsd-stable
mailing list