Displaying 4 results from an estimated 4 matches for "devfsrules_jail".
2005 Aug 18
4
Closing information leaks in jails?
Hello,
I'm wondering about closing some information leaks in FreeBSD jails from
the "outside world".
Not that critical (depends on the application), but a simple user, with
restricted devfs in the jail (devfsrules_jail for example from
/etc/defaults/devfs.rules) can figure out the following:
- network interfaces related data, via ifconfig, which contains
everything, but the primary IP address of the interfaces. It seems that
alias IPs can be viewed:
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&g...
2007 Feb 18
1
Secure shared web hosting using MAC Framework
...systems
Solution:
use the follwing sysctl variable
security.bsd.see_other_uids=0
security.bsd.unprivileged_read_msgbuf=0
Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf)
jail_web_devfs_enable="YES"
jail_web_devfs_ruleset="devfsrules_jail"
- Web users and executed web scripts shouldn't be able to read important system files
Solution:
use ufs_acl to prevent the users from accessing the following:
/boot /root
/sbin /usr/sbin /usr/local/sbin
/var
/etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf,...
2005 Jul 14
2
[ronvdaal@zarathustra.linux666.com: Possible security issue with FreeBSD 5.4 jailing and BPF]
This message was sent to bugtraq today:
While playing around with FreeBSD 5.4 and jailing I discovered that it was
possible to put an ethernet interface into promiscious mode from within the
jailed environment, allowing a packetsniffer to gather data not meant for
the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x
This can be reproduced on boxes where BPF support is
2006 Mar 07
3
Jails and loopback interfaces
Hi,
Running: Freebsd 6.0
I am wondering if it is possible to have acces to loopback ip in a jail. I
currently have a server running a jail. In the jail, there is a database and a
web server. I would like to be able to have the database only bind on a
loopback address and not on the jail's ip.
Can this be done and how?
Thanks
-Cyril