Site Navigation

Date:      Wed, 26 Feb 2003 14:48:25 -0800
From:      "Mooneer Salem" <mooneer@translator.cx>
To:        "Pawel Jakub Dawidek" <nick@garage.freebsd.pl>
Cc:        "FreeBSD Hackers" <freebsd-hackers@freebsd.org>
Subject:   RE: Jail seperation patch
Message-ID:  <FHEMJMOKKMJDGKFOHHEPKEPMFCAA.mooneer@translator.cx>
In-Reply-To: <20030226080509.GZ8455@garage.freebsd.pl>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Hello,

1. It handles at least case 1 just fine:

%telnet 10.0.0.2 25
Trying 10.0.0.2...
Connected to pacific.lifeafterking.org.
Escape character is '^]'.
220 pacific.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003
07:45:39 -0700 (MST)
quit
221 2.0.0 pacific.lifeafterking.org closing connection
Connection closed by foreign host.
%telnet 10.0.0.3 25
Trying 10.0.0.3...
Connected to test.lifeafterking.org..
Escape character is '^]'.
220 test.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003
07:45:46 -0700 (MST)
quit
221 2.0.0 test.lifeafterking.org closing connection
Connection closed by foreign host.
%telnet 10.0.0.4 25
Trying 10.0.0.4...
Connected to blah.lifeafterking.org..
Escape character is '^]'.
220 test.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003
07:45:52 -0700 (MST)
quit
221 2.0.0 test.lifeafterking.org closing connection
Connection closed by foreign host.
%ssh mooneer@10.0.0.3
Password:
Last login: Tue Feb 25 22:41:12 2003 from test2.lifeafter
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

FreeBSD 5.0-RELEASE-p1 (VMWARE-SERVER) #38: Mon Feb 24 18:24:18 MST 2003
%telnet 10.0.0.2 25
Trying 10.0.0.2...
Connected to pacific.lifeafterking.org.
Escape character is '^]'.
220 pacific.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003
07:46:16 -0700 (MST)
quit
221 2.0.0 pacific.lifeafterking.org closing connection
Connection closed by foreign host.
%hostname
test.lifeafterking.org
%exit
logout
Connection to 10.0.0.3 closed.
%

However, I just checked and it appears I can connect to 0.0.0.0:

%telnet 0.0.0.0 25
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.
220 pacific.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003
07:49:30 -0700 (MST)
quit
221 2.0.0 pacific.lifeafterking.org closing connection
Connection closed by foreign host.
%hostname
test.lifeafterking.org
%

Hey, I found a bug! :)

2. Neat. :) I'm going to add sysctls when I get a chance for the mount
hiding. Also, I'm going to take a look
at the VFS code and see if I can hide files from non-root non-jailed users.

3. Does multi-level jailing add any further restrictions to the jails within
the jails, besides the standard ones
imposed?

Thanks,

--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/

-----Original Message-----
From: Pawel Jakub Dawidek [mailto:nick@garage.freebsd.pl]
Sent: Wednesday, February 26, 2003 12:05 AM
To: Mooneer Salem
Cc: FreeBSD Hackers
Subject: Re: Jail seperation patch


On Tue, Feb 25, 2003 at 02:47:11PM -0800, Mooneer Salem wrote:
+> I've been working on extending the jail feature of FreeBSD to make it
+> more friendly to VPS providers. I added the following features:
+>
+> * Rudimentary CPU/RAM/number of processes per-jail limits
+> * Multiple IP support (from Pawel Jakub Dawidek's mijail patch for 4.7)
+>   * Proper INADDR_ANY support added (so INADDR_ANY will bind to all IP
+> addresses
+>     within a jail)

And what when we got situation like:

1.
	main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4
	jailed host ips: 1.1.1.2, 1.1.1.3

	Daemon in jail binds to INADDR_ANY to port X, somebody connects
	to port X, but to IP 1.1.1.4 (outside jail). Connection will success?
2.
	main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4
	jailed host ips: 1.1.1.2, 1.1.1.3

	Daemon outside jail binds to port X on IP 1.1.1.4.
	User in jail connects to port X to INADDR_ANY.
	Connection will success?

What when daemon idside jail and daemon outside jail binds to those
same port? If I'm connectin to this port who will handle connection?


+> * struct prison added to SysV IPC code (to allow for secure use)

Better solution is created separated memory zones for main host and every
jail, look at my patch agains 5.0-CURRENT:

	http://garage.freebsd.pl/privipc.tbz
	http://garage.freebsd.pl/privipc.README

+> * Disk mount hiding

Better way is IMHO hiding and cutting pathnames, look at:

	http://garage.freebsd.pl/jailfsstat.tgz
	http://garage.freebsd.pl/jailfsstat.README

+> * Hot add/remove IP addresses from jail using sysctl
+> * Process hiding (non-root users outside jails cannot see jailed
processes)

This isn't a complete solution and I think it couldn't be, because you
still could modify files owned by jailed users with UID notjailed user,
so...

+> The patch is for 5.0-CURRENT/5.0-RELEASE. I would be interested in
+> any comments or suggestions. If anyone's interested, it can be retrieved
+> at http://msalem.translator.cx/dist/jail_seperation.v5.patch.

You could add multi-level jailing, IMHO it's cool:

	http://garage.freebsd.pl/mljail.tbz
	http://garage.freebsd.pl/mljail.README

Nice work, I'm wondering if something will be ever commited:)

--
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FHEMJMOKKMJDGKFOHHEPKEPMFCAA.mooneer>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact