svn commit: r224475 - head/usr.sbin/jail
Robert Watson
rwatson at FreeBSD.org
Thu Jul 28 15:28:46 UTC 2011
On Thu, 28 Jul 2011, Ben Kaduk wrote:
>> @@ -914,3 +914,8 @@ directory that is moved out of the jail'
>> access to the file space outside of the jail.
>> It is recommended that directories always be copied, rather than moved, out
>> of a jail.
>> +.Pp
>> +It is also not recommended that users allowed root in the jail be allowed
>> +access to the host system.
>> +For example, a root user in a jail can create a setuid root utility that
>> +could be run in the host system to achieve elevated privileges.
>
> Per rwatson's comment on the other jail.8 thread we've got going, we might
> recommend that the separate file system for a jail might also be mounted
> nosuid, which would close off this class of attack.
Setting nosuid will break many common jail installations by turning off things
like su(1), sudo, crontab, at, etc.
I think that the better way to approach this may be to discuss, briefly, the
philosophy behind Jail: it's not a virtualisation service, it's a subsetting
service. A result of that is that the host system is a superset of the
various containers, and has properties derived from each of them. You could
imagine using various integrity/tainting schemes to avoid this issue -- a new
nosuidjail (don't allow it to be setuid except in a jail), using some of our
MAC-related schemes, etc. I would be tempted not to do things, but rather, to
document the actual semantics and some of the implications.
Robert
More information about the svn-src-head
mailing list