freebsd stable - Sep 2008 - jails and mac_seeotheruids problems in 6-STABLE

Hallo everyone,

I have 3 servers in my lab. 2 of them are running 6-STABLE and one of 
them is running 7-STABLE. All three have services running in jails. I 
noticed a very peculiar behavior in 6-STABLE when I set the sysctl 
security.mac.seeotheruids.enabled=1. The root user in my jails was not 
able to see processes and sockets owned by other users of the same jail, 
whereas the root user of the host system could see every process (thank 
the Almighty). The same behavior does not apply on the server running 
7-STABLE.

In one sense it is more secure, since the root user in a jail is not as 
"strong" as the root user should be in a UNIX system. On the other
hand,
the root user looses its purpose of existence, which I suppose is a bug.

Below are the security.mac sysctl settings of both 6 and 7-STABLE:

6-STABLE:

security.mac.max_slots: 4
security.mac.enforce_network: 1
security.mac.enforce_pipe: 1
security.mac.enforce_posix_sem: 1
security.mac.enforce_suid: 1
security.mac.mmap_revocation_via_cow: 0
security.mac.mmap_revocation: 1
security.mac.enforce_vm: 1
security.mac.enforce_process: 1
security.mac.enforce_socket: 1
security.mac.enforce_system: 1
security.mac.enforce_kld: 1
security.mac.enforce_sysv_msg: 1
security.mac.enforce_sysv_sem: 1
security.mac.enforce_sysv_shm: 1
security.mac.enforce_fs: 1
security.mac.seeotheruids.specificgid: 0
security.mac.seeotheruids.specificgid_enabled: 0
security.mac.seeotheruids.primarygroup_enabled: 0
security.mac.seeotheruids.enabled: 1
security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443
security.mac.portacl.port_high: 1023
security.mac.portacl.autoport_exempt: 1
security.mac.portacl.suser_exempt: 1
security.mac.portacl.enabled: 1


7-STABLE:

security.mac.max_slots: 4
security.mac.version: 3
security.mac.mmap_revocation_via_cow: 0
security.mac.mmap_revocation: 1
security.mac.seeotheruids.specificgid: 0
security.mac.seeotheruids.specificgid_enabled: 0
security.mac.seeotheruids.suser_privileged: 1
security.mac.seeotheruids.primarygroup_enabled: 0
security.mac.seeotheruids.enabled: 1

I would be very glad if someone could inform me whether I am doing 
something wrong; if not I think I should inform FreeBSD about this bug.

Thank you guys in advance,

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379

On Tue, 30 Sep 2008, George Mamalakis wrote:
> I have 3 servers in my lab. 2 of them are running 6-STABLE and one of them 
> is running 7-STABLE. All three have services running in jails. I noticed a 
> very peculiar behavior in 6-STABLE when I set the sysctl 
> security.mac.seeotheruids.enabled=1. The root user in my jails was not able
> to see processes and sockets owned by other users of the same jail, whereas
> the root user of the host system could see every process (thank the 
> Almighty). The same behavior does not apply on the server running 7-STABLE.
>
> In one sense it is more secure, since the root user in a jail is not as 
> "strong" as the root user should be in a UNIX system. On the
other hand, the
> root user looses its purpose of existence, which I suppose is a bug.
>
> Below are the security.mac sysctl settings of both 6 and 7-STABLE:
Could you try modifying src/sys/security/mac_seeotheruids/mac_seeotheruids.c 
in a 6.x tree so that the call to suser_cred() in mac_seeotheruids_check() 
passes the SUSER_ALLOWJAIL flag rather than 0?  This may correct the problem 
you're experiencing.  Let me know and I can merge that change to 6.x.

Robert N M Watson
Computer Laboratory
University of Cambridge
>
> 6-STABLE:
>
> security.mac.max_slots: 4
> security.mac.enforce_network: 1
> security.mac.enforce_pipe: 1
> security.mac.enforce_posix_sem: 1
> security.mac.enforce_suid: 1
> security.mac.mmap_revocation_via_cow: 0
> security.mac.mmap_revocation: 1
> security.mac.enforce_vm: 1
> security.mac.enforce_process: 1
> security.mac.enforce_socket: 1
> security.mac.enforce_system: 1
> security.mac.enforce_kld: 1
> security.mac.enforce_sysv_msg: 1
> security.mac.enforce_sysv_sem: 1
> security.mac.enforce_sysv_shm: 1
> security.mac.enforce_fs: 1
> security.mac.seeotheruids.specificgid: 0
> security.mac.seeotheruids.specificgid_enabled: 0
> security.mac.seeotheruids.primarygroup_enabled: 0
> security.mac.seeotheruids.enabled: 1
> security.mac.portacl.rules: uid:80:tcp:80,uid:80:tcp:443
> security.mac.portacl.port_high: 1023
> security.mac.portacl.autoport_exempt: 1
> security.mac.portacl.suser_exempt: 1
> security.mac.portacl.enabled: 1
>
>
> 7-STABLE:
>
> security.mac.max_slots: 4
> security.mac.version: 3
> security.mac.mmap_revocation_via_cow: 0
> security.mac.mmap_revocation: 1
> security.mac.seeotheruids.specificgid: 0
> security.mac.seeotheruids.specificgid_enabled: 0
> security.mac.seeotheruids.suser_privileged: 1
> security.mac.seeotheruids.primarygroup_enabled: 0
> security.mac.seeotheruids.enabled: 1
>
> I would be very glad if someone could inform me whether I am doing
something
> wrong; if not I think I should inform FreeBSD about this bug.
>
> Thank you guys in advance,
>
> -- 
> George Mamalakis
>
> IT Officer
> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
> MSc (Imperial College of London)
>
> Department of Electrical and Computer Engineering
> Faculty of Engineering
> Aristotle University of Thessaloniki
>
> phone number : +30 (2310) 994379
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
>