jailkit-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] jailed user can view directories/files outside home

From: Olivier Sessink
Subject: Re: [Jailkit-users] jailed user can view directories/files outside home
Date: Fri, 10 May 2019 12:21:31 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 
On 10-05-19 11:14, Brian Platt wrote:
> So I have 2 test users. A user can view the /opt/jail/home folders but
> cannot enter another users directory as expected
>
> address@hidden:/home$ ls -la
> total 16
> drwxr-xr-x  4 root  root 4096 May 10 10:54 .
> drwxr-xr-x 11 root  root 4096 Aug 24  2016 ..
> drwx------  3 test    33 4096 May  7 13:28 test
> drwx------  3 test2   33 4096 Apr 10 09:57 test2
>
> address@hidden:/home$ cd test2/
> bash: cd: test2/: Permission denied
>
> great that works BUT as the test user i'm able to browse folders below
> home 
>
> address@hidden:/home$ cd ..
> address@hidden:/$ ls -la
> total 44
> drwxr-xr-x 11 root root 4096 Aug 24  2016 .
> drwxr-xr-x 11 root root 4096 Aug 24  2016 ..
> drwxr-xr-x  2 root root 4096 May  8 16:23 bin
> drwxr-xr-x  2 root root 4096 Apr  3 17:41 dev
> drwxr-xr-x  6 root root 4096 May  8 16:24 etc
> drwxr-xr-x  4 root root 4096 May 10 10:54 home
> drwxr-xr-x  4 root root 4096 Aug 24  2016 lib
> drwxr-xr-x  2 root root 4096 Aug 24  2016 lib64
> drwxrwxrwx  2 root root 4096 Aug 30  2016 tmp
> drwxr-xr-x  6 root root 4096 Aug 24  2016 usr
> drwxr-xr-x  3 root root 4096 Aug 24  2016 var
>
> and view file contents (but not edit)
>
> address@hidden:/$ cd /etc/
> address@hidden:/etc$ cat passwd
> root:x:0:0:root:/root:/bin/bash
> test:x:1001:1001:First
> Last,RoomNumber,WorkPhone,HomePhone:/home/test:/bin/bash
> test2:x:1002:1002:,,,:/home/test2:/bin/bash
>
> Shouldn't the user at least be jailed to the home directory?

if a user has no rights to open for example a library file from
/usr/lib, any application that needs this library will not start. Even
bash needs access to many of these files in order to start. But access
to these files is completely harmless: they are the same files available
in the Linux repository, so there is nothing interesting to be found here.

If you do not want users to see each other existance , you create a
seperate jail for each user.

If you do not want a user to have shell access at all (but for example
only scp or svn) you can use jk_lsh inside the jail.

Olivier

-- 

-- 
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]