Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Jan 2002 23:03:25 -0500 (EST)
From:      Robert Watson <rwatson@FreeBSD.ORG>
To:        "Ryan C. Creasey" <ryan-fbsd@p11.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   RE: jail and NFS
Message-ID:  <Pine.NEB.3.96L.1020114230038.41559A-100000@fledge.watson.org>
In-Reply-To: <000001c19d2d$a5dae5c0$2801a8c0@office.p11.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Mon, 14 Jan 2002, Ryan C. Creasey wrote:

> But there are too many little instances that I seem to overlook.  Does
> anyone know of a project (freshmeat?) out there that does this?  Or am I
> just unusual for wanting users to believe they're not in a jail? 

The problem is that it would be almost impossible to hide all evidence of
the user being in a jail, due to the way in which jail is implemented.  If
you have root in the jail, you can trivially tell simply by attempting
certain privileged operations, which are limited in jail.  In fact,
configuring a /dev such that it didn't look like a jail, in practice,
would leave you with a system that wasn't in jail :-).  Hiding this
requires a great deal of virtualization, and is probably better suited to
VMware-like solutions.  Hiding the nature of the host environment, on the
other hand, is something that is much easier to do.  It would probably be
worth adding another policy tweak sysctl to hide mount information, which
is something I've seen a number of requests for.  FreeBSD 5.0-CURRENT does
a much better job of limiting information leak into jail, btw, than
4.x-STABLE, due to a reworking of the inter-process authorization.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020114230038.41559A-100000>