Re: security.bsd.see_other_uids for jails
- From: Anatoli Klassen <anatoli@xxxxxxxxxx>
- Date: Sun, 28 May 2006 16:38:59 +0200
joerg@xxxxxxxxxxxxxxxxx wrote:
On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:Hi All,
if security.bsd.see_other_uids is set to 0, users from the main system can still see processes from jails if they have (by accident) the save uid.
For me it's wrong behavior because the main system and the jail are two different systems where uids are independent.
Sorry but you have far bigger security problems if you create such a
setup. E.g. "users" from the outer system can ptrace the processes in
the jail with the same uid.
But ptrace uses the same function p_cansee for security check.
Does it mean than "outer" user is more privileged as "jailed" root? Is it intended?
Regards,
Anatoli
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"
- References:
- security.bsd.see_other_uids for jails
- From: Anatoli Klassen
- Re: security.bsd.see_other_uids for jails
- From: joerg
- security.bsd.see_other_uids for jails
- Prev by Date: Re: security.bsd.see_other_uids for jails
- Next by Date: Re: security.bsd.see_other_uids for jails
- Previous by thread: Re: security.bsd.see_other_uids for jails
- Next by thread: Re: security.bsd.see_other_uids for jails
- Index(es):
Relevant Pages
|
|
