Date: Sat, 15 May 2004 19:52:15 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Julian Elischer <julian@elischer.org> Cc: FreeBSD current users <current@FreeBSD.ORG> Subject: Re: jail and chflags [patch] Message-ID: <20040515175215.GA845@darkness.comp.waw.pl> In-Reply-To: <Pine.BSF.4.21.0405141637420.85816-100000@InterJet.elischer.org> References: <Pine.BSF.4.21.0405141637420.85816-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--9MdG657QzbOEWl1C
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, May 14, 2004 at 05:25:16PM -0700, Julian Elischer wrote:
+>=20
+> I have several situations where I use jails, but I also need to allow=20
+> processes to do 'chflags'.=20
+> I trust these jailed processes, as I'm using jails to allow different
+> versions of the same software to run, rather than to isolate untrusted
+> users from each other...
+>=20
+> More confusingly it seems that chflags IS allowed in -current jails
+> despite the fact that teh comments say they are not..
+>=20
+> At the bottom is a patch I propose (releative to 4.8 which I=20
+> use in production) for allowing a sysctl that decides whether
+> chflags is permitted in a jail..
+>=20
+> However, in -current the same code is:
+> /*
+> * Unprivileged processes and privileged processes in
+> * jail() are not permitted to unset system flags, or
+> * modify flags if any system flags are set.
+> * Privileged non-jail processes may not modify system f=
lags
+> * if securelevel > 0 and any existing system flags are =
set.
+> */
+> if (!suser_cred(cred, PRISON_ROOT)) {
+> if (ip->i_flags
+> & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
+> error =3D securelevel_gt(cred, 0);
+> if (error)
+> return (error);
+> }
+> [...]
+> } else {
+> [...]
+>=20
+> which to me is confusing because suser_cred(cred, PRISON_ROOT)
+> should return 0 for a jailed root and thus allow it...
+> despite what the coment says.
+> "man 9 suser" says that the PRISON_ROOT flag should be used to ALLOW
+> root privs in a jail. (and the code seems to agree)
+>=20
+> in fact experimentation in -current shows this to be correct..
+> in a jail:
+>=20
+> xxx# chflags noschg libthr.so.1
+> xxx# ls -lo libthr.so.1
+> -r--r--r-- 1 root wheel - 611568 May 15 00:02 libthr.so.1
+> xxx# chflags schg libthr.so.1
+> xxx# ls -lo libthr.so.1
+> -r--r--r-- 1 root wheel schg 611568 May 15 00:02 libthr.so.1
+> xxx# =20
+>=20
+> comments? yeahs? neys?
Whoa! This looks very serious.
I agree with your fix, but few words about patch:
1. We should first commit it to -CURRENT.
2. We should also fix extfs2.
3. Maybe we rename sysctl name to
security.jail.allow_system_flags_modifications?
Not too short, but it isn't UFS-specific and I'll be glad if we keep
all jail-related sysctls in security.jail. tree.
What's your opinion about my patch?
http://people.freebsd.org/~pjd/patches/jail2.patch
--=20
Pawel Jakub Dawidek http://www.FreeBSD.org
pjd@FreeBSD.org http://garage.freebsd.pl
FreeBSD committer Am I Evil? Yes, I Am!
--9MdG657QzbOEWl1C
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFApljPForvXbEpPzQRAtL2AKCI8LwdmefQbX0SaKcn//fPbyXvAQCeITNn
ugZ2vMZbzajDv6FcR/6wdq0=
=ziEF
-----END PGP SIGNATURE-----
--9MdG657QzbOEWl1C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040515175215.GA845>