Re: Call for a hacker.... security.bsd.see_other_uids in jails only

From: Drew Broadley <drew_at_corrupt.co.nz>
Date: Sat, 22 May 2004 00:31:18 +1200
Pawel Jakub Dawidek wrote:

>On Thu, May 20, 2004 at 11:01:45PM +0100, Josef Karthauser wrote:
>+> I was wondering whether someone might help me out.
>+> 
>+> There's a couple of sysctls in -current:
>+> 
>+>     security.bsd.see_other_uids: 1
>+>     security.bsd.see_other_gids: 1
>+> 
>+> These effectively allow one to prevent users from spying on each
>+> other.
>+> 
>+> What I need to do is to disable these within jails, but not in the
>+> host enviroment.  The reason I need this is that I'm running the
>+> FreeBSD election on a box of mine, but I don't want to have to clear
>+> these globally.
>+> 
>+> Would someone have the time to hack me a patch to do this? It doesn't
>+> have to be clean, although evenually I'd like to see something like
>+> this committed to freebsd operating on a sysctl.
>
>Implementation wouldn't be probably too hard, but I can't agree it should
>be committed. We need to know where jail's virtualization ends and I think
>it is too far. Of course it will be cool to have those sysctl on per-jail
>basics, as well as others from security.bsd. tree
>(like security.bsd.suser_enabled), but I'm not sure this is the right way
>to go.
>
>Any other opinions? If someone convince me we should do it, I can do it.
>  
>

Surely this persons requirements are far and beyond what chroot (jail) 
has to offer.

If they want the ability to change sysctl values per jail, why not just 
set up virtual machines per user ? Surely this would give him the 
flexibility he needs and the pure security of users not seeing other 
users jails ?

That's my two cent's, and it saves a lot of unnecessary hard work.

- Drew
Received on Fri May 21 2004 - 03:32:35 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:54 UTC