search for: unprivileged_read_msgbuf

Hello, I'm wondering about closing some information leaks in FreeBSD jails from the "outside world". Not that critical (depends on the application), but a simple user, with restricted devfs in the jail (devfsrules_jail for example from /etc/defaults/devfs.rules) can figure out the following: - network interfaces related data, via ifconfig, which contains everything, but the

...mp Solution: add a ufs_acl rule to /tmp, this should be read only (for mysql socket and other things that might reside here) - As much as possible, web users should have a limited view of the systems Solution: use the follwing sysctl variable security.bsd.see_other_uids=0 security.bsd.unprivileged_read_msgbuf=0 Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf) jail_web_devfs_enable="YES" jail_web_devfs_ruleset="devfsrules_jail" - Web users and executed web scripts shouldn't be able to read important system files Solution:...

...ty.jail.enforce_statfs: 2 security.jail.allow_raw_sockets: 0 security.jail.chflags_allowed: 0 security.jail.jailed: 0 security.bsd.suser_enabled: 1 security.bsd.see_other_uids: 1 security.bsd.see_other_gids: 1 security.bsd.conservative_signals: 1 security.bsd.unprivileged_proc_debug: 1 security.bsd.unprivileged_read_msgbuf: 1 security.bsd.hardlink_check_uid: 0 security.bsd.hardlink_check_gid: 0 security.bsd.unprivileged_get_quota: 0 dev.nexus.0.%driver: nexus dev.nexus.0.%parent: root0 dev.npx.0.%desc: math processor dev.npx.0.%driver: npx dev.npx.0.%parent: nexus0 dev.acpi.0.%desc: A M I OEMXSDT dev.acpi.0.%driver:...