Chris, On Sun, May 08, 2011 at 09:58:05AM +0100, Chris Rees wrote: > On 8 May 2011 08:52, Jason Hellenthal <jh...@dataix.net> wrote: > > > > Edho, > > > > On Sun, May 08, 2011 at 09:15:28AM +0700, Edho P Arief wrote: > >> On Sun, May 8, 2011 at 5:31 AM, Jamie Landeg Jones <ja...@bishopston.net> > >> wrote: > >> >> All the same, I've sent a PR [1] with some doc patches to make people > >> >> more aware of this -- fulfilling my promise of 2+ years ago :S > >> >> > >> >> Thanks! > >> >> > >> >> Chris > >> >> > >> >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 > >> > > >> > Um. Some problems here. > >> > > >> > A jail won't work for not-root users if the jail root directory is chmod > >> > 700 - although > >> > there is obviously a 'chroot' running withing the jail, the jailed user > >> > still needs > >> > to have read permission from the hosts / -- chmod 700 therefore locks > >> > all non-root > >> > users out. > >> > > >> > >> It's weird - I don't remember having such problem after setting jails' > >> root directory permission to 700. I don't have the system anymore so I > >> can't verify it just yet. > > > > It should also be noted here that the jailed root user also has permission > > to chmod(1) '/' to anything he or she wants unless you have taken > > precaution to not allow that. I would reccoment storing your jails two > > levels deep into a directory and chmod(1) 700 the first level to prevent > > access from the host and from the jailed root user changing the perms. > > > > Oops, you're absolutely right. > > I've updated the docs patches (links at [1]), though unfortunately it > means it's a little less elegant; I'm reluctant to suggest > > # chmod 0700 $D/.. >
Haha I would strongly suggest against that ;) Not knowing where people are keeping the jails would impose quite a bit of harm if they did have them in places like that or /var/jailname. Unfortunately in this case we can only update the docs and hope that the user will keep up-to-date with reading them. Only other possibility I see is ensuring that noone inside the jail can chmod or do anyting on / but this may actually be quite tough. > in case someone sets $D to /usr/local/myjail or similar... > > Chris > > [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/156853 -- Regards, (jhell) Jason Hellenthal
pgpdpA6vpno7J.pgp
Description: PGP signature
