From owner-freebsd-security Mon Jan 14 10:59:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from khyron.p11.com (khyron.p11.com [64.95.193.74]) by hub.freebsd.org (Postfix) with ESMTP id DB17A37B405 for ; Mon, 14 Jan 2002 10:59:52 -0800 (PST) Received: from rcreasey01 (rcreasey01 [192.168.1.40]) by khyron.p11.com (Postfix) with ESMTP id DB4D33C55AF for ; Mon, 14 Jan 2002 11:01:18 -0800 (PST) From: "Ryan C. Creasey" To: Subject: RE: jail and NFS Date: Mon, 14 Jan 2002 10:59:52 -0800 Message-ID: <000001c19d2d$a5dae5c0$2801a8c0@office.p11.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > By the way ... > when it type in jailed box > mount > i saw all filesystems and shares mounted by host system > is this correct ? As far as I can tell, yes... I have several jails running within my master environment and there are quite a few ways for a user in the jail to realize that they're actually in the jail. root@dolza.p11.com:/usr/ports# mount /dev/ad0s1a on / (ufs, local) /dev/ad0s1f on /usr (ufs, local, with quotas) /dev/ad0s1e on /var (ufs, local) procfs on /proc (procfs, local) procfs on /usr/jail/dolza.p11.com/proc (procfs, local) procfs on /usr/jail/exedore.p11.com/proc (procfs, local) procfs on /usr/jail/breetai.p11.com/proc (procfs, local) ps being another one; note the 'J': root@exedore.p11.com:/etc# ps PID TT STAT TIME COMMAND 68462 p9- IJ 0:00.01 /bin/sh /usr/local/bin/safe_mysqld --user=mysql 33488 pc R+J 0:00.00 ps 58200 pc SJ 0:00.04 -su (bash) Although there are ways to "hack" your jail to fake users into believing they are acutally on a real environment. As with the above example, it's rather trivial to recompile ps by removing the switch for the 'J' flag: root@dolza.p11.com:/usr/ports# ps PID TT STAT TIME COMMAND 32266 p7 I+ 0:00.02 -su (bash) 63606 p8- I 0:00.01 /bin/sh /usr/local/bin/safe_mysqld --user=mysql 33487 pd R+ 0:00.00 ps 58217 pd S 0:00.11 -su (bash) But there are too many little instances that I seem to overlook. Does anyone know of a project (freshmeat?) out there that does this? Or am I just unusual for wanting users to believe they're not in a jail? Ryan C. Creasey Network Engineer p11creative To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message