svn commit: r318751 - in head/sys: kern sys
Benjamin Kaduk
bjkfbsd at gmail.com
Mon Oct 23 13:34:49 UTC 2017
On Mon, Oct 23, 2017 at 8:31 AM, Steve Wills <swills at freebsd.org> wrote:
>
> Note too that security.bsd.see_jail_proc is partially a work around for
> the fact that security.bsd.see_other_* doesn't work as you might expect.
> It's literally the UID/GID, rather than the username, so
> security.bsd.see_other_* has no idea that the users in the jail are not the
> same users on the host, which is unexpected and counter-intuitive at best
> and dangerous at worst. (Even if that were changed,
> security.bsd.see_jail_proc is still useful for the potential scenario where
> you don't want/need to set security.bsd.see_other_* but don't want users to
> see processes in jails.)
security.bsd.see_other_* cannot do anything *but* UID/GID -- note that it
is supported to have multiple user entries on a single system that share a
UID, and the username used to log in is not tracked by the kernel. (E.g.,
root and toor.)
-Ben
More information about the svn-src-all
mailing list