Robert Watson wrote:
On Tue, 30 Sep 2008, George Mamalakis wrote:
It works like a charm! Thank you very much for your time and help,
No problem -- I've gone ahead and committed that change to stable/6.
If you're able to test 6.4RC1 when it comes out to confirm that the
fix works there as desired, that would be most helpful.
I will csup to 6.4RC1 when available, and will inform you of the outcome.
Thanks again.
Thanks,
Robert N M Watson
Computer Laboratory
University of Cambridge
regards,
Robert Watson wrote:
On Tue, 30 Sep 2008, George Mamalakis wrote:
I have 3 servers in my lab. 2 of them are running 6-STABLE and one
of them is running 7-STABLE. All three have services running in
jails. I noticed a very peculiar behavior in 6-STABLE when I set
the sysctl security.mac.seeotheruids.enabled=1. The root user in my
jails was not able to see processes and sockets owned by other
users of the same jail, whereas the root user of the host system
could see every process (thank the Almighty). The same behavior
does not apply on the server running 7-STABLE.
In one sense it is more secure, since the root user in a jail is
not as "strong" as the root user should be in a UNIX system. On the
other hand, the root user looses its purpose of existence, which I
suppose is a bug.
Below are the security.mac sysctl settings of both 6 and 7-STABLE:
Could you try modifying
src/sys/security/mac_seeotheruids/mac_seeotheruids.c in a 6.x tree
so that the call to suser_cred() in mac_seeotheruids_check() passes
the SUSER_ALLOWJAIL flag rather than 0? This may correct the
problem you're experiencing. Let me know and I can merge that
change to 6.x.
Robert N M Watson
Computer Laboratory
University of Cambridge
6-STABLE:
security.mac.max_slots: 4
security.mac.enforce_network: 1
security.mac.enforce_pipe: 1
security.mac.enforce_posix_sem: 1
security.mac.enforce_suid: 1
security.mac.mmap_revocation_via_cow: 0
security.mac.mmap_revocation: 1
security.mac.enforce_vm: 1
security.mac.enforce_process: 1
security.mac.enforce_socket: 1
security.mac.enforce_system: 1
security.mac.enforce_kld: 1
security.mac.enforce_sysv_msg: 1
security.mac.enforce_sysv_sem: 1
security.mac.enforce_sysv_shm: 1
security.mac.enforce_fs: 1
security.mac.seeotheruids.specificgid: 0
security.mac.seeotheruids.specificgid_enabled: 0
security.mac.seeotheruids.primarygroup_enabled: 0
security.mac.seeotheruids.enabled: 1
security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443
security.mac.portacl.port_high: 1023
security.mac.portacl.autoport_exempt: 1
security.mac.portacl.suser_exempt: 1
security.mac.portacl.enabled: 1
7-STABLE:
security.mac.max_slots: 4
security.mac.version: 3
security.mac.mmap_revocation_via_cow: 0
security.mac.mmap_revocation: 1
security.mac.seeotheruids.specificgid: 0
security.mac.seeotheruids.specificgid_enabled: 0
security.mac.seeotheruids.suser_privileged: 1
security.mac.seeotheruids.primarygroup_enabled: 0
security.mac.seeotheruids.enabled: 1
I would be very glad if someone could inform me whether I am doing
something wrong; if not I think I should inform FreeBSD about this
bug.
Thank you guys in advance,
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
