Re: security.bsd.see_other_uids for jails

2006-05-29 Thread Anatoli Klassen 

David Malone wrote:

On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:
if security.bsd.see_other_uids is set to 0, users from the main system 
can still see processes from jails if they have (by accident) the save uid.


For me it's wrong behavior because the main system and the jail are two 
different systems where uids are independent.


You could try the following (untested) patch to the MAC seeotheruid
module. You'd need to compile a kernel with the MAC option and then:



Thanks for the patch, maybe I'll need something like that for my 
environment.


But my question is if it's really intended that jail is not real virtual 
system but just a way to limit interaction from jail to host and not 
vice versa.


If it's the case than this has to be specified in jail(8).

Regards,
Anatoli

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

security.bsd.see_other_uids for jails

2006-05-28 Thread Anatoli Klassen 

Hi All,

if security.bsd.see_other_uids is set to 0, users from the main system 
can still see processes from jails if they have (by accident) the save uid.


For me it's wrong behavior because the main system and the jail are two 
different systems where uids are independent.


Could somebody explain the case?

Regards,
Anatoli
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: security.bsd.see_other_uids for jails

2006-05-28 Thread Anatoli Klassen 

[EMAIL PROTECTED] wrote:

On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:

Hi All,

if security.bsd.see_other_uids is set to 0, users from the main system 
can still see processes from jails if they have (by accident) the save uid.


For me it's wrong behavior because the main system and the jail are two 
different systems where uids are independent.


Sorry but you have far bigger security problems if you create such a
setup. E.g. users from the outer system can ptrace the processes in
the jail with the same uid.



But ptrace uses the same function p_cansee for security check.

Does it mean than outer user is more privileged as jailed root? Is 
it intended?


Regards,
Anatoli

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: accessing NetBSD filesystem

2005-12-25 Thread Anatoli Klassen 

Hanspeter Roth wrote:


Fdisk shows sysid 165 (0xa5) for partition 3. This is where FreeBSD
is installed. And Fdisk shows sysid 169 (0xa9) for partition 4. This
is where NetBSD is installed.
In /dev there are ad0s3 and ad0s3[a-g] but there is only a ad0s4.
So how can filesystems of my NetBSD in ad0s4 be accessed?



AFAIK you can access only the 'a' partition of the NetBSD slice.
Just mount it.

If you need other partitions, try to use following module:

http://www.26th.net/public/projects/freebsd/geom_nbsd/geom_nbsd.tgz

1. Download, unpack, go it to the dir.
2. Say make.
3. Sys kldload ./geom_nbsd.ko
4. All /dev/ad0s3[a-g] should appear.
5. Now mount all partitions as usual.

The module is tested on 6.x and CURRENT. One known bug - it's impossible 
to unload it, you have to reboot for this.

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Run ntpd as non-root user

2005-11-07 Thread Anatoli Klassen 

Hi All,

I have written patches to allow to run ntpd as ordinal user and/or from
jail.

The idea is to disable build-in kernel security checks by setting some
sysctl's and then plug in a MAC module (actually it is the same approach
as in mac_portacl to bind to low ports).

There are four new sysctl MIBs:
kern.usersettime - non-root is allowed to change system time,
kern.jailsettime - system time is allowed to be changed from jail,
kern.useradjtime - non-root is allowed to adjust system time,
kern.jailadjtime - system time is allowed to be adjusted from jail;

and a new MAC module mac_settime, where admin can define rules via
sysctl MIB:
security.mac.settime.rules=
allow uid 2000 nojail; allow gid 123 jail 10

There is also a one-line patch for ntpd itself to disable root-check at
startup.

I'm waiting for your comments :)

Regards,
Anatoli

--- sys/kern/kern_time.c.orig   Mon Nov  7 11:56:57 2005
+++ sys/kern/kern_time.cMon Nov  7 12:14:45 2005
@@ -41,9 +41,11 @@
 #include sys/sysproto.h
 #include sys/resourcevar.h
 #include sys/signalvar.h
+#include sys/jail.h
 #include sys/kernel.h
 #include sys/mac.h
 #include sys/syscallsubr.h
+#include sys/sysctl.h
 #include sys/sysent.h
 #include sys/proc.h
 #include sys/time.h
@@ -104,6 +106,12 @@
 
 SYSINIT(posix_timer, SI_SUB_P1003_1B, SI_ORDER_FIRST+4, itimer_start, NULL);
 
+static int cf_usersettime;
+static int cf_jailsettime;
+SYSCTL_INT(_kern, OID_AUTO, usersettime, CTLFLAG_RW, cf_usersettime, 0,
+Non-root is allowed to change system time);
+SYSCTL_INT(_kern, OID_AUTO, jailsettime, CTLFLAG_RW, cf_jailsettime, 0,
+System time is allowed to be changed from jail);
 
 static void 
 no_lease_updatetime(deltat)
@@ -265,8 +273,10 @@
if (error)
return (error);
 #endif
-   if ((error = suser(td)) != 0)
-   return (error);
+   if (!cf_jailsettime  jailed(td-td_ucred))
+   return (EPERM);
+   if (!cf_usersettime  (error = suser_cred(td-td_ucred, 
SUSER_ALLOWJAIL)) != 0)
+   return (error); /* jail is already 
checked */
if (clock_id != CLOCK_REALTIME)
return (EINVAL);
if (ats-tv_nsec  0 || ats-tv_nsec = 10)
@@ -472,9 +482,12 @@
if (error)
return (error);
 #endif
-   error = suser(td);
-   if (error)
-   return (error);
+   if (!cf_jailsettime  jailed(td-td_ucred))
+   return (EPERM);
+   if (!cf_usersettime  (error = suser_cred(td-td_ucred, 
SUSER_ALLOWJAIL)) != 0)
+   return (error); /* jail is already 
checked */
+   else
+   error = 0;
/* Verify all parameters before changing time. */
if (tv) {
if (tv-tv_usec  0 || tv-tv_usec = 100)
--- sys/kern/kern_ntptime.c.origMon Nov  7 11:57:07 2005
+++ sys/kern/kern_ntptime.c Mon Nov  7 12:14:45 2005
@@ -38,6 +38,7 @@
 #include sys/param.h
 #include sys/systm.h
 #include sys/sysproto.h
+#include sys/jail.h
 #include sys/kernel.h
 #include sys/proc.h
 #include sys/lock.h
@@ -198,6 +199,13 @@
 static void hardupdate(long offset);
 static void ntp_gettime1(struct ntptimeval *ntvp);
 
+static int cf_useradjtime;
+static int cf_jailadjtime;
+SYSCTL_INT(_kern, OID_AUTO, useradjtime, CTLFLAG_RW, cf_useradjtime, 0,
+Non-root is allowed to adjust system time);
+SYSCTL_INT(_kern, OID_AUTO, jailadjtime, CTLFLAG_RW, cf_jailadjtime, 0,
+System time is allowed to be adjusted from jail);
+
 static void
 ntp_gettime1(struct ntptimeval *ntvp)
 {
@@ -330,12 +338,20 @@
 * the STA_PLL bit in the status word is cleared, the state and
 * status words are reset to the initial values at boot.
 */
-   mtx_lock(Giant);
modes = ntv.modes;
-   if (modes)
-   error = suser(td);
-   if (error)
-   goto done2;
+   if (modes) {
+#ifdef MAC
+   error = mac_check_system_settime(td-td_ucred);
+   if (error)
+   return (error);
+#endif
+   if (!cf_jailadjtime  jailed(td-td_ucred))
+   return (EPERM);
+   if (!cf_useradjtime  
+   (error = suser_cred(td-td_ucred, SUSER_ALLOWJAIL)) != 0)
+   return (error); /* jail is already checked at 
this point */
+   }
+   mtx_lock(Giant);
s = splclock();
if (modes  MOD_MAXERROR)
time_maxerror = ntv.maxerror;
@@ -954,8 +970,17 @@
struct timeval atv;
int error;
 
-   if ((error = suser(td)))
+#ifdef MAC
+   error = mac_check_system_settime(td-td_ucred);
+   if (error)
return (error);
+#endif
+   if (!cf_jailadjtime  jailed(td-td_ucred))
+   return (EPERM);
+   if (!cf_useradjtime  (error = suser_cred(td-td_ucred, 
SUSER_ALLOWJAIL)) != 0)
+   return (error);