From owner-freebsd-jail@FreeBSD.ORG Sun May 27 20:32:46 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79D011065691 for ; Sun, 27 May 2012 20:32:46 +0000 (UTC) (envelope-from andriys@gmail.com) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3146A8FC19 for ; Sun, 27 May 2012 20:32:46 +0000 (UTC) Received: by ggnm2 with SMTP id m2so1868389ggn.13 for ; Sun, 27 May 2012 13:32:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=n7/Dva390P7dRbCDQuIbxrHUEs/jsLSPwGyTjjIS80o=; b=HDQ511AoviY4l405sCXXenh2SNWm5sckLIy/F46dU/Zx5GMYqPxoFefz5G8nUteePA GGeV9jTa62tBeHHs2UZKGBk7Wq7oBwt8lG4ktw2qKhZf6k6Ve77Th7gaYculeehe7ceA p4Qg8hoRDR6NZ8hnbeyaA8gUH3B7pJ9IHzvMIwizhbCd1+4yCtbLAupWNJr/HRWtYgJT 6f7nDoqBxG6t0//gp2kI2/uQKJR2k1w3fdQY4o3d/9uMMXkfwO4byRQss0lWVsEmFKzo +skri2S2ZoT4w4cbLB1cgqsZaQd7Js5Q+YgnaGMjJ0H5MHoeEX0LWZBB9mSkHORTkH6W RSmQ== MIME-Version: 1.0 Received: by 10.50.220.136 with SMTP id pw8mr3151319igc.1.1338150765413; Sun, 27 May 2012 13:32:45 -0700 (PDT) Received: by 10.231.19.9 with HTTP; Sun, 27 May 2012 13:32:45 -0700 (PDT) Date: Sun, 27 May 2012 23:32:45 +0300 Message-ID: From: Andriy Syrovenko To: freebsd-jail@freebsd.org Content-Type: multipart/mixed; boundary=bcaec554dec00743c704c10a810f Subject: Access to system extattrs from withing a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 May 2012 20:32:46 -0000 --bcaec554dec00743c704c10a810f Content-Type: text/plain; charset=ISO-8859-1 Hello, Current implementation of FreeBSD jails does not allow access to extattrs in system namespace from within a jail. I think, however, that there are cases when it is desirable to allow jailed root to access and modify system extended attributes. One case is running jailed Samba, which, under certain circumstances, may store information in system extended attributes. Please find attached two patches, that solve this issue for me. They add additional jail parameter "allow.extattr_system". Being set to 1 this parameter allows jailed root to access and manipulate extattrs in the system namespace. I've tested the patches on 9.0-RELEASE. Are there any security concerns I may have overlooked? Are there any chance to see these patches commited to base? Best regards, Andrey. --bcaec554dec00743c704c10a810f Content-Type: application/octet-stream; name="jail_extaddr_system_kern.patch" Content-Disposition: attachment; filename="jail_extaddr_system_kern.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h2qjwhrn0 ZGlmZiAtdXJOIC56ZnMvc25hcHNob3Qvb3JpZy9zeXMva2Vybi9rZXJuX2phaWwuYyAuL3N5cy9r ZXJuL2tlcm5famFpbC5jCi0tLSAuemZzL3NuYXBzaG90L29yaWcvc3lzL2tlcm4va2Vybl9qYWls LmMJMjAxMi0wMS0wMyAwNToyNjoyMi4wMDAwMDAwMDAgKzAyMDAKKysrIC4vc3lzL2tlcm4va2Vy bl9qYWlsLmMJMjAxMi0wNS0yNyAxNzoxNzoxNy42NDM2MDY2OTIgKzAzMDAKQEAgLTIwMCw2ICsy MDAsNyBAQAogCSJhbGxvdy5tb3VudCIsCiAJImFsbG93LnF1b3RhcyIsCiAJImFsbG93LnNvY2tl dF9hZiIsCisJImFsbG93LmV4dGF0dHJfc3lzdGVtIiwKIH07CiBjb25zdCBzaXplX3QgcHJfYWxs b3dfbmFtZXNfc2l6ZSA9IHNpemVvZihwcl9hbGxvd19uYW1lcyk7CiAKQEAgLTIxMSw2ICsyMTIs NyBAQAogCSJhbGxvdy5ub21vdW50IiwKIAkiYWxsb3cubm9xdW90YXMiLAogCSJhbGxvdy5ub3Nv Y2tldF9hZiIsCisJImFsbG93Lm5vZXh0YXR0cl9zeXN0ZW0iLAogfTsKIGNvbnN0IHNpemVfdCBw cl9hbGxvd19ub25hbWVzX3NpemUgPSBzaXplb2YocHJfYWxsb3dfbm9uYW1lcyk7CiAKQEAgLTM4 NDQsNiArMzg0NiwxNSBAQAogCQkJcmV0dXJuIChFUEVSTSk7CiAKIAkJLyoKKwkJICogQ29uZGl0 aW9uYWxseSBhbGxvdyBhY2Nlc3Npbmcgc3lzdGVtIGV4dGVuZGVkIGF0dHJpYnV0ZXMKKwkJICov CisJY2FzZSBQUklWX1ZGU19FWFRBVFRSX1NZU1RFTToKKwkJaWYgKGNyZWQtPmNyX3ByaXNvbi0+ cHJfYWxsb3cgJiBQUl9BTExPV19FWFRBVFRSX1NZU1RFTSkKKwkJCXJldHVybiAoMCk7CisJCWVs c2UKKwkJCXJldHVybiAoRVBFUk0pOworCisJCS8qCiAJCSAqIEFsbG93IGphaWxlZCByb290IHRv IGJpbmQgcmVzZXJ2ZWQgcG9ydHMgYW5kIHJldXNlIGluLXVzZQogCQkgKiBwb3J0cy4KIAkJICov CkBAIC00MTMwLDYgKzQxNDEsMTAgQEAKICAgICBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcgfCBD VExGTEFHX01QU0FGRSwKICAgICBOVUxMLCBQUl9BTExPV19NT1VOVCwgc3lzY3RsX2phaWxfZGVm YXVsdF9hbGxvdywgIkkiLAogICAgICJQcm9jZXNzZXMgaW4gamFpbCBjYW4gbW91bnQvdW5tb3Vu dCBqYWlsLWZyaWVuZGx5IGZpbGUgc3lzdGVtcyIpOworU1lTQ1RMX1BST0MoX3NlY3VyaXR5X2ph aWwsIE9JRF9BVVRPLCBleHRhdHRyX3N5c3RlbV9hbGxvd2VkLAorICAgIENUTFRZUEVfSU5UIHwg Q1RMRkxBR19SVyB8IENUTEZMQUdfTVBTQUZFLAorICAgIE5VTEwsIFBSX0FMTE9XX0VYVEFUVFJf U1lTVEVNLCBzeXNjdGxfamFpbF9kZWZhdWx0X2FsbG93LCAiSSIsCisgICAgIlByaXNvbiByb290 IGNhbiBhY2Nlc3MgYW5kIG1hbmlwdWxhdGUgc3lzdGVtIGV4dGVuZGVkIGF0dHJpYnV0ZXMiKTsK IAogc3RhdGljIGludAogc3lzY3RsX2phaWxfZGVmYXVsdF9sZXZlbChTWVNDVExfSEFORExFUl9B UkdTKQpAQCAtNDI2Miw2ICs0Mjc3LDggQEAKICAgICAiQiIsICJKYWlsIG1heSBzZXQgZmlsZSBx dW90YXMiKTsKIFNZU0NUTF9KQUlMX1BBUkFNKF9hbGxvdywgc29ja2V0X2FmLCBDVExUWVBFX0lO VCB8IENUTEZMQUdfUlcsCiAgICAgIkIiLCAiSmFpbCBtYXkgY3JlYXRlIHNvY2tldHMgb3RoZXIg dGhhbiBqdXN0IFVOSVgvSVB2NC9JUHY2L3JvdXRlIik7CitTWVNDVExfSkFJTF9QQVJBTShfYWxs b3csIGV4dGF0dHJfc3lzdGVtLCBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcsCisgICAgIkIiLCAi SmFpbCBtYXkgYWNjZXNzIGFuZCBtYW5pcHVsYXRlIHN5c3RlbSBleHRlbmRlZCBhdHRyaWJ1dGVz Iik7CiAKIHZvaWQKIHByaXNvbl9yYWNjdF9mb3JlYWNoKHZvaWQgKCpjYWxsYmFjaykoc3RydWN0 IHJhY2N0ICpyYWNjdCwKZGlmZiAtdXJOIC56ZnMvc25hcHNob3Qvb3JpZy9zeXMvc3lzL2phaWwu aCAuL3N5cy9zeXMvamFpbC5oCi0tLSAuemZzL3NuYXBzaG90L29yaWcvc3lzL3N5cy9qYWlsLmgJ MjAxMi0wMS0wMyAwNToyNzowNy4wMDAwMDAwMDAgKzAyMDAKKysrIC4vc3lzL3N5cy9qYWlsLmgJ MjAxMi0wNS0yNyAxNjowNzoyNS40MTUxNjAyMzEgKzAzMDAKQEAgLTIyMiw3ICsyMjIsOCBAQAog I2RlZmluZQlQUl9BTExPV19NT1VOVAkJCTB4MDAxMAogI2RlZmluZQlQUl9BTExPV19RVU9UQVMJ CQkweDAwMjAKICNkZWZpbmUJUFJfQUxMT1dfU09DS0VUX0FGCQkweDAwNDAKLSNkZWZpbmUJUFJf QUxMT1dfQUxMCQkJMHgwMDdmCisjZGVmaW5lCVBSX0FMTE9XX0VYVEFUVFJfU1lTVEVNCQkweDAw ODAKKyNkZWZpbmUJUFJfQUxMT1dfQUxMCQkJMHgwMGZmCiAKIC8qCiAgKiBPU0QgbWV0aG9kcwo= --bcaec554dec00743c704c10a810f Content-Type: application/octet-stream; name="jail_extaddr_system_user.patch" Content-Disposition: attachment; filename="jail_extaddr_system_user.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h2qjwjt51 ZGlmZiAtdXJOIC56ZnMvc25hcHNob3Qvb3JpZy91c3Iuc2Jpbi9qYWlsL2phaWwuYyAuL3Vzci5z YmluL2phaWwvamFpbC5jCi0tLSAuemZzL3NuYXBzaG90L29yaWcvdXNyLnNiaW4vamFpbC9qYWls LmMJMjAxMi0wMS0wMyAwNToyNTo1My4wMDAwMDAwMDAgKzAyMDAKKysrIC4vdXNyLnNiaW4vamFp bC9qYWlsLmMJMjAxMi0wNS0yNyAyMzowMzowMS4xMjg1ODE5OTAgKzAzMDAKQEAgLTg3LDYgKzg3 LDggQEAKIAkgICJhbGxvdy5ub21vdW50IiwgImFsbG93Lm1vdW50IiB9LAogCXsgInNlY3VyaXR5 LmphaWwuc29ja2V0X3VuaXhpcHJvdXRlX29ubHkiLAogCSAgImFsbG93LnNvY2tldF9hZiIsICJh bGxvdy5ub3NvY2tldF9hZiIgfSwKKwl7ICJzZWN1cml0eS5qYWlsLmV4dGF0dHJfc3lzdGVtX2Fs bG93ZWQiLAorCSAgImFsbG93LmV4dGF0dHJfc3lzdGVtIiwgImFsbG93Lm5vZXh0YXR0cl9zeXN0 ZW0iIH0sCiB9OwogCiBleHRlcm4gY2hhciAqKmVudmlyb247Cg== --bcaec554dec00743c704c10a810f-- From owner-freebsd-jail@FreeBSD.ORG Mon May 28 11:07:30 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E87E11065677 for ; Mon, 28 May 2012 11:07:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D293D8FC17 for ; Mon, 28 May 2012 11:07:30 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4SB7Upe063386 for ; Mon, 28 May 2012 11:07:30 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4SB7U6R063384 for freebsd-jail@FreeBSD.org; Mon, 28 May 2012 11:07:30 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 May 2012 11:07:30 GMT Message-Id: <201205281107.q4SB7U6R063384@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2012 11:07:31 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon May 28 15:04:33 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 375EC106564A; Mon, 28 May 2012 15:04:33 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 3942B8FC0A; Mon, 28 May 2012 15:04:32 +0000 (UTC) Received: by wibhj8 with SMTP id hj8so1395315wib.13 for ; Mon, 28 May 2012 08:04:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=TSLY4zptPklApQicL5xBbdilQOiZPf0yIDg5mDkUxsA=; b=N3lWGDUu1Slxu3WHNOvPewQF1pxouqHdamzQrQIFyyNTo+CwNNeIFL8EG91QxfQgA2 4D/4K/zQ6iHgsJIQ2tEx8c+oIE5dfi7qqGqMXwECoATfaKSN5d/ZougFttd/SXjx8vUy fXk/iyeJ//6A01F5/0qcsvdCR8+oeWJlBoeEP0bnvkpAcT7Vv8DaGi8awPKoH8lpVUJU 0DxEmDk15K34Pbi05ANxQeSu1329V+WvoChtz82hdo5FBneE/S2sbeZ/AXqeFgxerJd2 dK/94Eq+cDqe3Irl/i4QOh/uBiAAxBRSQM8p5GXWwXoCGD9ZPVAQ7OgF1t9SLYOpKO2v BaXg== Received: by 10.216.132.94 with SMTP id n72mr2479685wei.60.1338217471113; Mon, 28 May 2012 08:04:31 -0700 (PDT) Received: from dft-labs.eu (dft-labs.eu. [80.87.128.179]) by mx.google.com with ESMTPS id n11sm34158288wiv.9.2012.05.28.08.04.28 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 28 May 2012 08:04:29 -0700 (PDT) Date: Mon, 28 May 2012 17:04:20 +0200 From: Mateusz Guzik To: Julian Elischer Message-ID: <20120528150420.GA15947@dft-labs.eu> References: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com> <8EE125C9-9FA7-495B-A6ED-CF3F7C2E8A3E@lists.zabbadoz.net> <4FBFC029.10401@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4FBFC029.10401@freebsd.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: "Bjoern A. Zeeb" , sbruno@freebsd.org, FreeBSD-Jail , FreeBSD Hackers Subject: Re: [jail] Allowing root privledged users to renice X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2012 15:04:33 -0000 On Fri, May 25, 2012 at 10:23:53AM -0700, Julian Elischer wrote: > On 5/25/12 10:04 AM, Bjoern A. Zeeb wrote: > >On 25. May 2012, at 16:48 , Sean Bruno wrote: > > > >>I've been toying with the idea of letting jails renice processes ... how > >>dangerous and/or stupid is this idea? > >> > >>==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 - > >>/home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ==== > >>270a271,275 > >>+ int jail_allow_renice = 0; > >>+ SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW, > >>+&jail_allow_renice, 0, > >>+ "Prison root can renice processes"); > >> > >>3857a3863,3865 > >>+ case PRIV_SCHED_SETPRIORITY: > >>+ if (!jail_allow_renice) > >>+ return (EPERM); > > > >I think sysctls are a bad idea given jails have per-jail flags these days. > > > >Maybe also only allow re-nicing to be nicer but not less nice? > ^^^^ for sure ! start a jail with it's max priority and the > root within can allow nicer priorities only.. > you can always add priority from teh master (parent) environment outside. > Unless I seriously misunderstood something, that's the case right now. That is, PRIV_SCHED_SETPRIORITY matters only if resulting nice parameter would be lower. -- Mateusz Guzik