Date: Wed, 01 Oct 2008 11:54:47 +0300 From: George Mamalakis <mamalos@eng.auth.gr> To: Robert Watson <rwatson@freebsd.org> Cc: freebsd-stable@freebsd.org Subject: Re: jails and mac_seeotheruids problems in 6-STABLE Message-ID: <48E33AD7.20707@eng.auth.gr> In-Reply-To: <alpine.BSF.1.10.0809301715540.75798@fledge.watson.org> References: <48E1EBE1.50206@eng.auth.gr> <alpine.BSF.1.10.0809301040490.71734@fledge.watson.org> <48E21BD9.1080101@eng.auth.gr> <alpine.BSF.1.10.0809301715540.75798@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote: > > On Tue, 30 Sep 2008, George Mamalakis wrote: > >> It works like a charm! Thank you very much for your time and help, > > No problem -- I've gone ahead and committed that change to stable/6. > If you're able to test 6.4RC1 when it comes out to confirm that the > fix works there as desired, that would be most helpful. > I will csup to 6.4RC1 when available, and will inform you of the outcome. Thanks again. > Thanks, > > Robert N M Watson > Computer Laboratory > University of Cambridge > >> >> regards, >> >> >> Robert Watson wrote: >>> >>> On Tue, 30 Sep 2008, George Mamalakis wrote: >>> >>>> I have 3 servers in my lab. 2 of them are running 6-STABLE and one >>>> of them is running 7-STABLE. All three have services running in >>>> jails. I noticed a very peculiar behavior in 6-STABLE when I set >>>> the sysctl security.mac.seeotheruids.enabled=1. The root user in my >>>> jails was not able to see processes and sockets owned by other >>>> users of the same jail, whereas the root user of the host system >>>> could see every process (thank the Almighty). The same behavior >>>> does not apply on the server running 7-STABLE. >>>> >>>> In one sense it is more secure, since the root user in a jail is >>>> not as "strong" as the root user should be in a UNIX system. On the >>>> other hand, the root user looses its purpose of existence, which I >>>> suppose is a bug. >>>> >>>> Below are the security.mac sysctl settings of both 6 and 7-STABLE: >>> >>> Could you try modifying >>> src/sys/security/mac_seeotheruids/mac_seeotheruids.c in a 6.x tree >>> so that the call to suser_cred() in mac_seeotheruids_check() passes >>> the SUSER_ALLOWJAIL flag rather than 0? This may correct the >>> problem you're experiencing. Let me know and I can merge that >>> change to 6.x. >>> >>> Robert N M Watson >>> Computer Laboratory >>> University of Cambridge >>> >>>> >>>> 6-STABLE: >>>> >>>> security.mac.max_slots: 4 >>>> security.mac.enforce_network: 1 >>>> security.mac.enforce_pipe: 1 >>>> security.mac.enforce_posix_sem: 1 >>>> security.mac.enforce_suid: 1 >>>> security.mac.mmap_revocation_via_cow: 0 >>>> security.mac.mmap_revocation: 1 >>>> security.mac.enforce_vm: 1 >>>> security.mac.enforce_process: 1 >>>> security.mac.enforce_socket: 1 >>>> security.mac.enforce_system: 1 >>>> security.mac.enforce_kld: 1 >>>> security.mac.enforce_sysv_msg: 1 >>>> security.mac.enforce_sysv_sem: 1 >>>> security.mac.enforce_sysv_shm: 1 >>>> security.mac.enforce_fs: 1 >>>> security.mac.seeotheruids.specificgid: 0 >>>> security.mac.seeotheruids.specificgid_enabled: 0 >>>> security.mac.seeotheruids.primarygroup_enabled: 0 >>>> security.mac.seeotheruids.enabled: 1 >>>> security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443 >>>> security.mac.portacl.port_high: 1023 >>>> security.mac.portacl.autoport_exempt: 1 >>>> security.mac.portacl.suser_exempt: 1 >>>> security.mac.portacl.enabled: 1 >>>> >>>> >>>> 7-STABLE: >>>> >>>> security.mac.max_slots: 4 >>>> security.mac.version: 3 >>>> security.mac.mmap_revocation_via_cow: 0 >>>> security.mac.mmap_revocation: 1 >>>> security.mac.seeotheruids.specificgid: 0 >>>> security.mac.seeotheruids.specificgid_enabled: 0 >>>> security.mac.seeotheruids.suser_privileged: 1 >>>> security.mac.seeotheruids.primarygroup_enabled: 0 >>>> security.mac.seeotheruids.enabled: 1 >>>> >>>> I would be very glad if someone could inform me whether I am doing >>>> something wrong; if not I think I should inform FreeBSD about this >>>> bug. >>>> >>>> Thank you guys in advance, >>>> >>>> -- >>>> George Mamalakis >>>> >>>> IT Officer >>>> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), >>>> MSc (Imperial College of London) >>>> >>>> Department of Electrical and Computer Engineering >>>> Faculty of Engineering >>>> Aristotle University of Thessaloniki >>>> >>>> phone number : +30 (2310) 994379 >>>> >>>> _______________________________________________ >>>> freebsd-stable@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>>> To unsubscribe, send any mail to >>>> "freebsd-stable-unsubscribe@freebsd.org" >>>> >> >> -- >> George Mamalakis >> >> IT Officer >> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), >> MSc (Imperial College of London) >> >> Department of Electrical and Computer Engineering >> Faculty of Engineering >> Aristotle University of Thessaloniki >> >> phone number : +30 (2310) 994379 >> >> > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48E33AD7.20707>