jailkit-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] User can view files outside his own chroot directory

From: Marcin Krol
Subject: Re: [Jailkit-users] User can view files outside his own chroot directory
Date: Fri, 28 Jun 2013 10:07:24 +0200
User-agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I'm not sure this is possible - many user/client programs, such as
ssh, need access to files in /etc dir and other system dirs (/usr/lib,
/usr/sbin). If you make them invisible to jailed user, how is a
program started by him supposed to access such files? They need those
to work, unless of course you a. recompiled all user programs in a
static mode and b. modified them in such way as for them not to need
peculiar files such as /etc/passwd. Not a very practical option.

That's why RTFMing on the main page of jailkit author states
explicitly: make sure the files in dirs such as /etc are owned by root
and not writable by the jailed user, or else your security is lost.
Otherwise, you should be good and since files for the programs are
copied selectively by jk_cp, what's the problem?

(not that I like  /etc and /usr/lib and /usr/bin and the like being
visible to the jailed user - I dislike it, but there is not much other
option, apart maybe from some kernel-level witchcraft that would
achieve such a thing, but that nobody seems much in mood for doing)



W dniu 6/28/2013 04:59, Jianzhou pisze:
> Hello,
> 
> can we lock him to his own home directory ? Not able to let him
> browse outside his own directory?
> 
> currently, he can see the list of users in /home (in the jail
> container /backup/jail) is this normal?
> 
> 
> 
> On Thu, Jun 27, 2013 at 8:51 PM, Jianzhou <address@hidden 
> <mailto:address@hidden>> wrote:
> 
> This is how it is like for multiple users in /etc/passwd
> 
> http://pastebin.com/iPQ4UkSJ
> 
> 
> are they suppose to be able to see /backup/jail/etc/passwd too??
> 
> 
> 
> 
> On Thu, Jun 27, 2013 at 8:48 PM, Olivier Sessink 
> <address@hidden 
> <mailto:address@hidden>> wrote:
> 
> On 06/27/2013 02:15 PM, Jianzhou wrote:
>> Hello,
>> 
>> he can see /backup/jail/etc/passwd but not /etc/passwd
>> 
>> he can also see the list of of user accounts in
>> /backup/jail/home/
>> 
>> Is this normal?
> 
> if you have multiple users inside 1 jail, they can see each other 
> existence, and (if the directory permissions allow so) share files.
> You can create a jail for each user without a problem, just make 
> sure you use hardlinks to avoid extra diskspace costs.
> 
> Olivier
> 
> -- Bluefish website http://bluefish.openoffice.nl/ Blog
> http://oli4444.wordpress.com/
> 
> 
> _______________________________________________ Jailkit-users
> mailing list address@hidden
> <mailto:address@hidden> 
> https://lists.nongnu.org/mailman/listinfo/jailkit-users
> 
> 
> 
> 
> -- Best Regards, Jianzhou
> 
> 
> 
> 
> -- Best Regards, Jianzhou
> 
> 
> _______________________________________________ Jailkit-users
> mailing list address@hidden 
> https://lists.nongnu.org/mailman/listinfo/jailkit-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRzUQ8AAoJEFMgHzhQQ7hOzgQH/2grywN1yQgFa+OFvRi0d6HK
EQbATGkgCuftNguEkitvlX/9vRmuhj0DiJtFnuYr675+FXsQGD3DQg6TYVxabYkf
TlD4280uk0dkvd2ALiBVG6ZCs1dAGsjx+shbvdzxOHaILMz7Zwy4ztVgBSft8z6Z
StfRfiQx+adDjtVHMcM4W9g7o86h9Eyk6JkM2ydhUhGut95WOEuaPK1L9biP++gj
PI9Kgxf/prSXRH+deANtsu6ild2lbJyhZd919aw8DaCBgPaGc27BQfl6cq1z9lox
NT0kdLDwmVNfRfcgJtXjGJSSc4gri/wJwu/7Ex5LZOZns8u/WFzcyVOLynsGT7o=
=36lT
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]