svn commit: r318751 - in head/sys: kern sys

Mon Oct 23 15:15:34 UTC 2017

On Mon, Oct 23, 2017 at 09:31:42AM -0400, Steve Wills wrote:
> Hi,
> 
> On 10/21/2017 18:55, Allan Jude wrote:
> > On 2017-10-21 18:45, Steven Hartland wrote:
> >> Personally I hate that idea as like being able to see all the processes
> >> from the host.
> >>
> >> I have a similar hate of Linux containers where you have to jump though
> >> hoops just to see whats really happening on the host.
> >>
> >> On Sat, 21 Oct 2017 at 20:29, Allan Jude <allanjude at freebsd.org
> > 
> > Note: this does NOT change root's ability to see the processes in the jail.
> > 
> > I just stops uid 1001 on the host, from using the processes owned by uid
> > 1001 in each jail, even in the presence of: security.bsd.see_other_uids=0
> > 
> > 
> 
> I think we'd be doing our users a service by enabling this by default 
> and avoiding the potential foot-shooting. I'd even be happy if we set 
No, you propose to do exactly the reverse, by making it impossible to
properly observe the global system state.  E.g. the administrator on
host, that is, the machine owner, would be impossible to see processes
which eat system resources and jailed.

> the other security.bsd.see_other_* to 0 by default. Or at least change 
> the installer to default that way (if it doesn't already? I'm not sure).
And this is plain stupid.  The only config where see_other_uids might
be not completely detrimental is probably only public-access shell boxes,
and even there the harm from it probably outweight the obscurity it
provides.

> 
> Personally, I'm going to do that locally anyway so if we don't do those 
> things, I won't be upset, but saddened for our users sake.
Personally, I will have to revert this on all my computers if this ever
gets in.

> 
> Note too that security.bsd.see_jail_proc is partially a work around for 
> the fact that security.bsd.see_other_* doesn't work as you might expect. 
It work exactly as I expect.

> It's literally the UID/GID, rather than the username, so 
> security.bsd.see_other_* has no idea that the users in the jail are not 
> the same users on the host, which is unexpected and counter-intuitive at 
> best and dangerous at worst. (Even if that were changed, 
> security.bsd.see_jail_proc is still useful for the potential scenario 
> where you don't want/need to set security.bsd.see_other_* but don't want 
> users to see processes in jails.)