Date: Wed, 20 Nov 2019 10:47:55 +0100 (CET) From: Ronald Klop <ronald-lists@klop.ws> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: freebsd-stable <freebsd-stable@freebsd.org>, Christos Chatzaras <chris@cretaforce.gr> Subject: Re: jexec as user? Message-ID: <1244063778.4.1574243275499@localhost> In-Reply-To: <06464ab7-abc4-9ee4-a27e-9e4591eebc83@quip.cz> References: <1237616943.9.1574163726832@localhost> <a572c2ec-52b6-0999-9106-75051cfc9821@sentex.net> <F75AA78E-EC55-49F8-9CEA-AB6C6F0BD742@cretaforce.gr> <06464ab7-abc4-9ee4-a27e-9e4591eebc83@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for all the advice. I am indeed looking for using jail from the non-root user in the host. Jailme sounds like a good solution. My use case is providing a relatively save way of giving a user the possibility to experiment with root rights (like creating and installing ports) without wracking the host system. The users are trusted so it is not so much about security. More about keeping the host system clean. Regards, Ronald. Van: Miroslav Lachman <000.fbsd@quip.cz> Datum: dinsdag, 19 november 2019 20:31 Aan: Christos Chatzaras <chris@cretaforce.gr>, freebsd-stable <freebsd-stable@freebsd.org> CC: Ronald Klop <ronald-lists@klop.ws> Onderwerp: Re: jexec as user? > > Christos Chatzaras wrote on 2019/11/19 14:09: > > > > > >> On 19 Nov 2019, at 15:02, mike tancsa <mike@sentex.net> wrote: > >> > >> On 11/19/2019 6:42 AM, Ronald Klop wrote: > >>> Hi, > >>> > >>> Is it possible to jexec into a jail as a regular user. Or to enable > >>> that somewhere? > >>> Or is the way to do such a thing to set up ssh in the jail? > >>> > >> On 11.3 at least, does not the built in functionality of jexec do what > >> you need ? > >> > >> jexec [-l] [-u username | -U username] jail [command ...] > >> > >> # jexec -U testuser 3 csh > >> testuser@cacticonsole:/ % id > >> uid=1005(testuser) gid=1005(testuser) groups=1005(testuser) > >> testuser@cacticonsole:/ % > >> > > > > I think he wants to use jexec as a normal user from the main OS. > > > > If he wants to run jexec as root and login to jail as user then your command works. > > If you want to use jexec as normal user in host, look at sysutils/jailme from ports: > > https://www.freshports.org/sysutils/jailme/ > This version is installed setuid and does some sanity checking to ensure the username and UID match between the jail and the host system. > > WWW: https://github.com/Intermedix/jailme > > Miroslav Lachman > > PS: I never used jailme personally > > > From owner-freebsd-stable@freebsd.org Wed Nov 20 10:44:38 2019 Return-Path: <owner-freebsd-stable@freebsd.org> Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 685B91B2448 for <freebsd-stable@mailman.nyi.freebsd.org>; Wed, 20 Nov 2019 10:44:38 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47HzpX5x2Qz4dRN for <freebsd-stable@freebsd.org>; Wed, 20 Nov 2019 10:44:36 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id xAKAiTw8044345 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Nov 2019 10:44:30 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: ronald-lists@klop.ws Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id xAKAiQkD033819 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 20 Nov 2019 17:44:26 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: jexec as user? To: Ronald Klop <ronald-lists@klop.ws>, Miroslav Lachman <000.fbsd@quip.cz> References: <1237616943.9.1574163726832@localhost> <a572c2ec-52b6-0999-9106-75051cfc9821@sentex.net> <F75AA78E-EC55-49F8-9CEA-AB6C6F0BD742@cretaforce.gr> <06464ab7-abc4-9ee4-a27e-9e4591eebc83@quip.cz> <1244063778.4.1574243275499@localhost> Cc: Christos Chatzaras <chris@cretaforce.gr>, freebsd-stable <freebsd-stable@freebsd.org> From: Eugene Grosbein <eugen@grosbein.net> Message-ID: <b09b04ac-bd76-e53f-3177-2444f16a30f1@grosbein.net> Date: Wed, 20 Nov 2019 17:44:20 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <1244063778.4.1574243275499@localhost> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * -0.0 SPF_PASS SPF: sender matches SPF record * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 47HzpX5x2Qz4dRN X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [-2.77 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[grosbein.net]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; R_SPF_PERMFAIL(0.00)[]; IP_SCORE(-1.67)[ip: (-4.38), ipnet: 2a01:4f8::/29(-2.31), asn: 24940(-1.64), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>; List-Post: <mailto:freebsd-stable@freebsd.org> List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 20 Nov 2019 10:44:38 -0000 20.11.2019 16:47, Ronald Klop wrote: > Thanks for all the advice. I am indeed looking for using jail from the non-root user in the host. Jailme sounds like a good solution. > > My use case is providing a relatively save way of giving a user the possibility to experiment with root rights (like creating and installing ports) without wracking the host system. > The users are trusted so it is not so much about security. More about keeping the host system clean. You also could run ssh service inside the jail and give users opportunity to experiment with ssh and keys :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1244063778.4.1574243275499>