From owner-freebsd-questions@FreeBSD.ORG Sun Oct 14 14:02:20 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3C797A60 for ; Sun, 14 Oct 2012 14:02:20 +0000 (UTC) (envelope-from peter@vereshagin.org) Received: from mx1.skyriver.ru (ns1.skyriver.ru [89.108.118.221]) by mx1.freebsd.org (Postfix) with ESMTP id BE66A8FC12 for ; Sun, 14 Oct 2012 14:02:17 +0000 (UTC) Received: from localhost (exit-01b.noisetor.net [173.254.216.67]) by mx1.skyriver.ru (Postfix) with ESMTPSA id EE4705B62; Sun, 14 Oct 2012 18:02:06 +0400 (MSK) Date: Sun, 14 Oct 2012 18:01:48 +0400 From: Peter Vereshagin To: schultz@ime.usp.br Subject: Re: Sysctls and privacy Message-ID: <20121014140148.GA5344@external.screwed.box> References: <20121012095915.470864k9735iy883@webmail.ime.usp.br> <20121013101545.GA21274@external.screwed.box> <20121013120939.18067gfy2u4vdzjn@webmail.ime.usp.br> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20121013120939.18067gfy2u4vdzjn@webmail.ime.usp.br> Organization: ' X-Face: 8T>{1owI$Byj]]a; ^G]kRf*dkq>E-3':F>4ODP[#X4s"dr?^b&2G@'3lukno]A1wvJ_L(~u 6>I2ra/<,j1%@C[LN=>p#_}RIV+#:KTszp-X$bQOj,K Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Oct 2012 14:02:20 -0000 Hello. 2012/10/13 12:09:39 -0300 schultz@ime.usp.br => To Peter Vereshagin : > > y > > Hello. > > > > it's a -questions@ here, right? (= > > Indeed. :-) Ouch! it's already not... But I Cc: there. Oops? > > What's a specific of the case? > > I need quite a lot of such "jails", with some being able to see others, > including the case where one "jail" may be visible to many. However, a > "jail" being visible does not mean it can be modified by the observing > "jail". Did you specify elsewhere what a 'visible' does mean to you? - if this means network connectivity then you can put jails on the same network, e. g. the same address on a lo(4) interface - if this means a read-only access to the directory located outside of a jail then her4e is the trick: mount_nullfs -o ro /path/to/inject /your/jail/mount/detination > The first implementation I thought of was using users and groups. I imagine > I can do this with jails and read-only mounts, but I would like to avoid > making a clean system per jail since disk space would not be enough. The same trick can be done for every directory the freebsd base system consists of. Excluding those different for each jail, e. g. /var, /etc. Nullfs daesn't consume your disk space except for additional fstab lines, something about a dozen per jail. (= > Also, the configuration of such environment is much, much simpler than > a jails version. I don't think so. It's a task of the configuration of a second system without hardware initialization and so on, and then spreading your configs around other jails. > To be sincere, I have not discarded the possibility of a jails solution > with clever mounts to preserve space, but it did not occur to me yet. > > > What changes? > > Changing the default permissions on devices (e.g sound), jail goes beyond with its jail_devfs_rules > not allowing > any file to be setuid and be visible to ordinary users, What do you mean 'visible' here? Do you just chmod a-rwx on them? Say, to avoid listing the /usr/bin/su you should chmod a-rx /usr/bin which is far from the best idea... > patching some ports to avoid attacks on /tmp > (X server), Sounds interesting but doesn't seem googleable to me. Any URLs for xorg patches and/or for the list of such a ports please? > exercising memory and process limits via rctl, Ouch! a RELENG_9 feature... > changing > some system configurations (see_other_uids, etc), disabling access to > the system log, stopping useless (to me) daemons, setting per user > ZFS quotas and probably a few more I can't remember at the moment. > > > What kind of danger is this? This system info expose seems nothing to do with > > making the system work unexpectedly. > > Indeed, but then all users might infer which programs are running and when. How could the one know out that from overall system statistics only? > It's not about consistency loss, it's about privacy loss. ok but that can be the loss of a privacy of some other user? > > You didn't mention you must have an outside network connection. Should your > > untrusted software have it? Just unplug it otherwise. > > The untrusted software runs for a reason, and that is I need its output. > Some outputs are not that amenable to verification (pdf files for instance), > and I can not exclude the possibility I myself might post some of these > outputs online, for instance. They may however, contain the logs. Sure. You can convert PDFs to the set of images, reassemble them into your own PDFs without the logs and post then. So without the need for the outside network connectivity there shouldn't be much care. (= > > You can make the special chroot/jail environment for the users keeping them > > away from the access to the binaries exposing sysctls. And permit them the > > write access only to the volumes mounted as '-o noexec'. > > > > There should be the way(s) to bypass this, at the least one of the > > DSLs e. g. > > ruby, python, perl, php used in that environment may provide API for sysctls > > or the modules can be built to use sysctl api from C. Thus you should keep > > your C compiler and any of the soucres e. g. /usr/src to present on that > > environment. > > > > Even with that who knows if your software doesn't use sysctl(3) > > functions. But > > the 'basic user programs' shouldn't. > > That is a real solution for the problem I have asked. However, for my > use cases not being able to produce executables is too restrictive. > > > I don't think it's possible at the moment. Do you think this can be > > implemented without performance loss? Sysctl is a kind of the kernel stuff... > > Assuming you did implement the user blocking code for the sysctls, I Can't remind that. (= > couldn't help but imagine the group one would be one added "if" that > checks membership of an UID to a group. Err... what? > > How about emaulators/qemu, virtualbox, etc? > > They are not security tools. But they can hide the system statistics and improve the privacy, the what you need having the consistency already? I have no idea if 'security' includes 'privacy', sorry. > Both qemu and virtualbox don't guarantee > the code isolated will not interfere with the host. But it seems to. What if the code isolated doesn't interfere? > Also, the memory > usage patterns of these programs are not exactly efficient (in the > case where the sum of all "jail" limits is large but actual usage is > small). Do you mean here the emulators never release memory allocated once? And why jail limits matter after that? Clarify please. > Thank you for the comprehensive answer. Took some avdvice from 'Leadership Cookbook"s like 'Always thank a one only for the something" ? (= -- Peter Vereshagin (http://vereshagin.org) pgp: A0E26627