Re: jail and chflags [patch]

From: Pawel Jakub Dawidek <pjd_at_FreeBSD.org> Date: Sat, 15 May 2004 19:52:15 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:54 UTC

On Fri, May 14, 2004 at 05:25:16PM -0700, Julian Elischer wrote:
+> 
+> I have several situations where I use jails, but I also need to allow 
+> processes to do 'chflags'. 
+> I trust these jailed processes, as I'm using jails to allow different
+> versions of the same software to run, rather than to isolate untrusted
+> users from each other...
+> 
+> More confusingly it seems that chflags IS allowed in -current jails
+> despite the fact that teh comments say they are not..
+> 
+> At the bottom is a patch I propose (releative to 4.8 which I 
+> use in production) for allowing a sysctl that decides whether
+> chflags is permitted in a jail..
+> 
+> However, in -current the same code is:
+>                 /*
+>                  * Unprivileged processes and privileged processes in
+>                  * jail() are not permitted to unset system flags, or
+>                  * modify flags if any system flags are set.
+>                  * Privileged non-jail processes may not modify system flags
+>                  * if securelevel > 0 and any existing system flags are set.
+>                  */
+>                 if (!suser_cred(cred, PRISON_ROOT)) {
+>                         if (ip->i_flags
+>                             & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
+>                                 error = securelevel_gt(cred, 0);
+>                                 if (error)
+>                                         return (error);
+>                         }
+> [...]
+> 		} else {
+> [...]
+> 
+> which to me is confusing because suser_cred(cred, PRISON_ROOT)
+> should return 0 for a jailed root and thus allow it...
+> despite what the coment says.
+> "man 9 suser" says that the PRISON_ROOT flag should be used to ALLOW
+> root privs in a jail. (and the code seems to agree)
+> 
+> in fact experimentation in -current shows this to be correct..
+> in a jail:
+> 
+> xxx#  chflags noschg libthr.so.1
+> xxx# ls -lo libthr.so.1
+> -r--r--r--  1 root  wheel  - 611568 May 15 00:02 libthr.so.1
+> xxx# chflags schg libthr.so.1
+> xxx# ls -lo libthr.so.1
+> -r--r--r--  1 root  wheel  schg 611568 May 15 00:02 libthr.so.1
+> xxx#  
+> 
+> comments? yeahs? neys?

Whoa! This looks very serious.

I agree with your fix, but few words about patch:
1. We should first commit it to -CURRENT.
2. We should also fix extfs2.
3. Maybe we rename sysctl name to
   security.jail.allow_system_flags_modifications?
   Not too short, but it isn't UFS-specific and I'll be glad if we keep
   all jail-related sysctls in security.jail. tree.

What's your opinion about my patch?

	http://people.freebsd.org/~pjd/patches/jail2.patch

-- 
Pawel Jakub Dawidek                       http://www.FreeBSD.org
pjd_at_FreeBSD.org                           http://garage.freebsd.pl
FreeBSD committer                         Am I Evil? Yes, I Am!