search for: devfsrules_jail

Hello, I'm wondering about closing some information leaks in FreeBSD jails from the "outside world". Not that critical (depends on the application), but a simple user, with restricted devfs in the jail (devfsrules_jail for example from /etc/defaults/devfs.rules) can figure out the following: - network interfaces related data, via ifconfig, which contains everything, but the primary IP address of the interfaces. It seems that alias IPs can be viewed: bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&g...

...systems Solution: use the follwing sysctl variable security.bsd.see_other_uids=0 security.bsd.unprivileged_read_msgbuf=0 Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf) jail_web_devfs_enable="YES" jail_web_devfs_ruleset="devfsrules_jail" - Web users and executed web scripts shouldn't be able to read important system files Solution: use ufs_acl to prevent the users from accessing the following: /boot /root /sbin /usr/sbin /usr/local/sbin /var /etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf,...

This message was sent to bugtraq today: While playing around with FreeBSD 5.4 and jailing I discovered that it was possible to put an ethernet interface into promiscious mode from within the jailed environment, allowing a packetsniffer to gather data not meant for the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x This can be reproduced on boxes where BPF support is

Hi, Running: Freebsd 6.0 I am wondering if it is possible to have acces to loopback ip in a jail. I currently have a server running a jail. In the jail, there is a database and a web server. I would like to be able to have the database only bind on a loopback address and not on the jail's ip. Can this be done and how? Thanks -Cyril