Date: Tue, 18 Apr 2006 09:25:58 +0800 (CST) From: Cheng-Lung Sung <clsung@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: clsung@gmail.com Subject: kern/95977: Message-ID: <20060418012558.829047E962@FreeBSD.csie.nctu.edu.tw> Resent-Message-ID: <200604180130.k3I1UMmC098138@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 95977 >Category: kern >Synopsis: >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Apr 18 01:30:22 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Cheng-Lung Sung >Release: FreeBSD 6.1-PRERELEASE i386 >Organization: FreeBSD @ Taiwan >Environment: System: FreeBSD FreeBSD.csie.nctu.edu.tw 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #7: Thu Apr 13 03:20:20 CST 2006 root@FreeBSD.csie.nctu.edu.tw:/home/usr.obj/usr/src/sys/FREEBSD i386 >Description: security.jail.jailed can be too easily shown from in jail, since it gives *someone* chances to know if he is in jail or not. I think better only show jailed when the administrator decide to insecure his machines (i.e. securelevel <=0) >How-To-Repeat: sysctl -a | grep security.jail.jailed jexec <jid> sysctl -a |grep security.jail.jailed >Fix: --- sys/kern/kern_jail.c.orig Mon Apr 17 22:53:48 2006 +++ sys/kern/kern_jail.c Tue Apr 18 09:21:48 2006 @@ -575,7 +575,12 @@ { int error, injail; - injail = jailed(req->td->td_ucred); + /* secured (i.e. level 1, 2, 3...) system + * do not display if jailed */ + if (securelevel_gt(req->td->td_ucred, 0) != 0) + injail = 0; + else + injail = jailed(req->td->td_ucred); error = SYSCTL_OUT(req, &injail, sizeof(injail)); return (error); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060418012558.829047E962>