Christos Chatzaras wrote on 2019/11/19 14:09:> > >> On 19 Nov 2019, at 15:02, mike tancsa <mike at sentex.net> wrote: >> >> On 11/19/2019 6:42 AM, Ronald Klop wrote: >>> Hi, >>> >>> Is it possible to jexec into a jail as a regular user. Or to enable >>> that somewhere? >>> Or is the way to do such a thing to set up ssh in the jail? >>> >> On 11.3 at least, does not the built in functionality of jexec do what >> you need ? >> >> jexec [-l] [-u username | -U username] jail [command ...] >> >> # jexec -U testuser 3 csh >> testuser at cacticonsole:/ % id >> uid=1005(testuser) gid=1005(testuser) groups=1005(testuser) >> testuser at cacticonsole:/ % >> > > I think he wants to use jexec as a normal user from the main OS. > > If he wants to run jexec as root and login to jail as user then your command works.If you want to use jexec as normal user in host, look at sysutils/jailme from ports: https://www.freshports.org/sysutils/jailme/ This version is installed setuid and does some sanity checking to ensure the username and UID match between the jail and the host system. WWW: https://github.com/Intermedix/jailme Miroslav Lachman PS: I never used jailme personally
Good question Ronald. A test - I can login to jail (b3) where I run apache as www user, so # jexec -U www b3 /bin/tcsh> whoami; idwww uid=80(www) gid=80(www) groups=80(www) Expected - good! and I can, in the host # su -m www -c "whoami; id" www uid=80(www) gid=80(www) groups=80(www) Good - so my user exists in both host and jail. Though for your purposes the host user could be anyone. So we've demonstrated that I have an unpriv'ed user in both the host and jailed context. But.... # /usr/bin/su -m www -c "jexec -U www b3 /usr/bin/whoami" jexec: initgroups: www: Operation not permitted So unless I/we can identify the cause of this, you're stuck Which surprised me, as I typically run stuff in my jails using commands from the host, like: /usr/sbin/jexec -U www b3 /usr/local/sbin/httpd -f /usr/local/etc/apache24/httpd.conf Now to part 2 of your question. I do run sshd quite happily in the jails, so that may be an option for you. (actually I use dropbear in situations where I don't required the proper audit logs and its approx 50% of the sshd resources ;))
Thanks for all the advice. I am indeed looking for using jail from the non-root user in the host. Jailme sounds like a good solution. My use case is providing a relatively save way of giving a user the possibility to experiment with root rights (like creating and installing ports) without wracking the host system. The users are trusted so it is not so much about security. More about keeping the host system clean. Regards, Ronald. Van: Miroslav Lachman <000.fbsd at quip.cz> Datum: dinsdag, 19 november 2019 20:31 Aan: Christos Chatzaras <chris at cretaforce.gr>, freebsd-stable <freebsd-stable at freebsd.org> CC: Ronald Klop <ronald-lists at klop.ws> Onderwerp: Re: jexec as user?> > Christos Chatzaras wrote on 2019/11/19 14:09: > > > > > >> On 19 Nov 2019, at 15:02, mike tancsa <mike at sentex.net> wrote: > >> > >> On 11/19/2019 6:42 AM, Ronald Klop wrote: > >>> Hi, > >>> > >>> Is it possible to jexec into a jail as a regular user. Or to enable > >>> that somewhere? > >>> Or is the way to do such a thing to set up ssh in the jail? > >>> > >> On 11.3 at least, does not the built in functionality of jexec do what > >> you need ? > >> > >> jexec [-l] [-u username | -U username] jail [command ...] > >> > >> # jexec -U testuser 3 csh > >> testuser at cacticonsole:/ % id > >> uid=1005(testuser) gid=1005(testuser) groups=1005(testuser) > >> testuser at cacticonsole:/ % > >> > > > > I think he wants to use jexec as a normal user from the main OS. > > > > If he wants to run jexec as root and login to jail as user then your command works. > > If you want to use jexec as normal user in host, look at sysutils/jailme from ports: > > https://www.freshports.org/sysutils/jailme/ > This version is installed setuid and does some sanity checking to ensure the username and UID match between the jail and the host system. > > WWW: https://github.com/Intermedix/jailme > > Miroslav Lachman > > PS: I never used jailme personally > > >