On Thu, 28 Jul 2011, Ben Kaduk wrote:
@@ -914,3 +914,8 @@ directory that is moved out of the jail' access to the file space outside of the jail. It is recommended that directories always be copied, rather than moved, out of a jail. +.Pp +It is also not recommended that users allowed root in the jail be allowed +access to the host system. +For example, a root user in a jail can create a setuid root utility that +could be run in the host system to achieve elevated privileges.Per rwatson's comment on the other jail.8 thread we've got going, we might recommend that the separate file system for a jail might also be mounted nosuid, which would close off this class of attack.
Setting nosuid will break many common jail installations by turning off things like su(1), sudo, crontab, at, etc.
I think that the better way to approach this may be to discuss, briefly, the philosophy behind Jail: it's not a virtualisation service, it's a subsetting service. A result of that is that the host system is a superset of the various containers, and has properties derived from each of them. You could imagine using various integrity/tainting schemes to avoid this issue -- a new nosuidjail (don't allow it to be setuid except in a jail), using some of our MAC-related schemes, etc. I would be tempted not to do things, but rather, to document the actual semantics and some of the implications.
Robert
_______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
