Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Oct 2017 09:31:42 -0400
From:      Steve Wills <swills@FreeBSD.org>
To:        Allan Jude <allanjude@freebsd.org>, Steven Hartland <steven.hartland@multiplay.co.uk>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r318751 - in head/sys: kern sys
Message-ID:  <92f4d6a9-6fc7-5fbd-7fce-8584c090526d@FreeBSD.org>
In-Reply-To: <96e0c0bc-eb9c-2ffa-9216-88678d0e8730@freebsd.org>
References:  <201705231659.v4NGxOB8013882@repo.freebsd.org> <c156a912-6305-4cc4-261c-5545742d9801@freebsd.org> <CAHEMsqZr4heWmJ2R-v=ct4dAvmj6rveZ4=5wNaaMz_=%2BKNNnOQ@mail.gmail.com> <96e0c0bc-eb9c-2ffa-9216-88678d0e8730@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

On 10/21/2017 18:55, Allan Jude wrote:
> On 2017-10-21 18:45, Steven Hartland wrote:
>> Personally I hate that idea as like being able to see all the processes
>> from the host.
>>
>> I have a similar hate of Linux containers where you have to jump though
>> hoops just to see whats really happening on the host.
>>
>> On Sat, 21 Oct 2017 at 20:29, Allan Jude <allanjude@freebsd.org
> 
> Note: this does NOT change root's ability to see the processes in the jail.
> 
> I just stops uid 1001 on the host, from using the processes owned by uid
> 1001 in each jail, even in the presence of: security.bsd.see_other_uids=0
> 
> 

I think we'd be doing our users a service by enabling this by default 
and avoiding the potential foot-shooting. I'd even be happy if we set 
the other security.bsd.see_other_* to 0 by default. Or at least change 
the installer to default that way (if it doesn't already? I'm not sure).

Personally, I'm going to do that locally anyway so if we don't do those 
things, I won't be upset, but saddened for our users sake.

Note too that security.bsd.see_jail_proc is partially a work around for 
the fact that security.bsd.see_other_* doesn't work as you might expect. 
It's literally the UID/GID, rather than the username, so 
security.bsd.see_other_* has no idea that the users in the jail are not 
the same users on the host, which is unexpected and counter-intuitive at 
best and dangerous at worst. (Even if that were changed, 
security.bsd.see_jail_proc is still useful for the potential scenario 
where you don't want/need to set security.bsd.see_other_* but don't want 
users to see processes in jails.)

Steve



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?92f4d6a9-6fc7-5fbd-7fce-8584c090526d>