From owner-freebsd-hackers Wed Feb 26 0: 3:41 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B126437B401 for ; Wed, 26 Feb 2003 00:03:38 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 962CA43FBD for ; Wed, 26 Feb 2003 00:03:37 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 1D90E3ABB2D; Wed, 26 Feb 2003 09:05:10 +0100 (CET) Date: Wed, 26 Feb 2003 09:05:09 +0100 From: Pawel Jakub Dawidek To: Mooneer Salem Cc: FreeBSD Hackers Subject: Re: Jail seperation patch Message-ID: <20030226080509.GZ8455@garage.freebsd.pl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Jsn5+Lu/ZvzbAGtZ" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.7-STABLE i386 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Jsn5+Lu/ZvzbAGtZ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 25, 2003 at 02:47:11PM -0800, Mooneer Salem wrote: +> I've been working on extending the jail feature of FreeBSD to make it +> more friendly to VPS providers. I added the following features: +>=20 +> * Rudimentary CPU/RAM/number of processes per-jail limits +> * Multiple IP support (from Pawel Jakub Dawidek's mijail patch for 4.7) +> * Proper INADDR_ANY support added (so INADDR_ANY will bind to all IP +> addresses +> within a jail) And what when we got situation like: 1. main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4 jailed host ips: 1.1.1.2, 1.1.1.3 Daemon in jail binds to INADDR_ANY to port X, somebody connects to port X, but to IP 1.1.1.4 (outside jail). Connection will success? 2. main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4 jailed host ips: 1.1.1.2, 1.1.1.3 Daemon outside jail binds to port X on IP 1.1.1.4. User in jail connects to port X to INADDR_ANY. Connection will success? What when daemon idside jail and daemon outside jail binds to those same port? If I'm connectin to this port who will handle connection? +> * struct prison added to SysV IPC code (to allow for secure use) Better solution is created separated memory zones for main host and every jail, look at my patch agains 5.0-CURRENT: http://garage.freebsd.pl/privipc.tbz=20 http://garage.freebsd.pl/privipc.README +> * Disk mount hiding Better way is IMHO hiding and cutting pathnames, look at: http://garage.freebsd.pl/jailfsstat.tgz http://garage.freebsd.pl/jailfsstat.README +> * Hot add/remove IP addresses from jail using sysctl +> * Process hiding (non-root users outside jails cannot see jailed process= es) This isn't a complete solution and I think it couldn't be, because you still could modify files owned by jailed users with UID notjailed user, so.= .. +> The patch is for 5.0-CURRENT/5.0-RELEASE. I would be interested in +> any comments or suggestions. If anyone's interested, it can be retrieved +> at http://msalem.translator.cx/dist/jail_seperation.v5.patch. You could add multi-level jailing, IMHO it's cool: http://garage.freebsd.pl/mljail.tbz http://garage.freebsd.pl/mljail.README Nice work, I'm wondering if something will be ever commited:) --=20 Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. --Jsn5+Lu/ZvzbAGtZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPlx1NT/PhmMH/Mf1AQEwTwP/VjOI5aQsxYBb7s7sV46TJqcfDKuu1tOn 0jvjYq7hgsLBvkDpLPfjovYUkCh0qhDSyc0nEDfsGaZLZIB07Hrktx+Pbux003gc znL6Iu44LTStfCqMgsboGqjCqdOpncxgYV0kxc5eBLyd9P3H3irv+RaA5JSEqWN4 DB1CbcUYWfQ= =x4FH -----END PGP SIGNATURE----- --Jsn5+Lu/ZvzbAGtZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message