jail and chflags [patch]

From: Julian Elischer <julian_at_elischer.org> Date: Fri, 14 May 2004 17:25:16 -0700 (PDT) · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:54 UTC

I have several situations where I use jails, but I also need to allow 
processes to do 'chflags'. 
I trust these jailed processes, as I'm using jails to allow different
versions of the same software to run, rather than to isolate untrusted
users from each other...

More confusingly it seems that chflags IS allowed in -current jails
despite the fact that teh comments say they are not..

At the bottom is a patch I propose (releative to 4.8 which I 
use in production) for allowing a sysctl that decides whether
chflags is permitted in a jail..

However, in -current the same code is:
                /*
                 * Unprivileged processes and privileged processes in
                 * jail() are not permitted to unset system flags, or
                 * modify flags if any system flags are set.
                 * Privileged non-jail processes may not modify system flags
                 * if securelevel > 0 and any existing system flags are set.
                 */
                if (!suser_cred(cred, PRISON_ROOT)) {
                        if (ip->i_flags
                            & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
                                error = securelevel_gt(cred, 0);
                                if (error)
                                        return (error);
                        }
[...]
		} else {
[...]

which to me is confusing because suser_cred(cred, PRISON_ROOT)
should return 0 for a jailed root and thus allow it...
despite what the coment says.
"man 9 suser" says that the PRISON_ROOT flag should be used to ALLOW
root privs in a jail. (and the code seems to agree)

in fact experimentation in -current shows this to be correct..
in a jail:

xxx#  chflags noschg libthr.so.1
xxx# ls -lo libthr.so.1
-r--r--r--  1 root  wheel  - 611568 May 15 00:02 libthr.so.1
xxx# chflags schg libthr.so.1
xxx# ls -lo libthr.so.1
-r--r--r--  1 root  wheel  schg 611568 May 15 00:02 libthr.so.1
xxx#  

comments? yeahs? neys?

julian

Index: sys/ufs/ufs/ufs_vnops.c
===================================================================
RCS file: /repos/projects/mirrored/freebsd/src/sys/ufs/ufs/ufs_vnops.c,v
retrieving revision 1.131.2.8
diff -u -r1.131.2.8 ufs_vnops.c
--- sys/ufs/ufs/ufs_vnops.c     2003/01/02 17:26:19     1.131.2.8
+++ sys/ufs/ufs/ufs_vnops.c     2004/05/14 23:36:20
_at__at_ -57,6 +57,7 _at__at_
 #include <sys/malloc.h>
 #include <sys/dirent.h>
 #include <sys/lockf.h>
+#include <sys/sysctl.h>
 #include <sys/event.h>
 #include <sys/conf.h>

_at__at_ -426,6 +427,11 _at__at_
        return (0);
 }

+SYSCTL_DECL(_vfs_ufs);
+static int ufs_jail_flags = 0;
+SYSCTL_INT(_vfs_ufs, OID_AUTO, jail_flags, CTLFLAG_RW, &ufs_jail_flags,
+    0, "allow chflags in a jail");
+
 /*
  * Set attribute vnode op. called from several syscalls
  */
_at__at_ -460,7 +466,8 _at__at_
                if (cred->cr_uid != ip->i_uid &&
                    (error = suser_xxx(cred, p, PRISON_ROOT)))
                        return (error);
-               if ((cred->cr_uid == 0) && (p->p_prison == NULL)) {
+               if ((cred->cr_uid == 0) && ((p->p_prison == NULL) ||
+                   (ufs_jail_flags != 0))) {
                        if ((ip->i_flags
                            & (SF_NOUNLINK | SF_IMMUTABLE |
SF_APPEND)) &&
                            securelevel > 0)