5849 Forbes Avenue
Pittsburgh, PA 15217
The jail system on FreeBSD allows convenient lightweight virtual machines within the FreeBSD operating system.
For our purposes, we have the jails tightly controlled and monitored. We'd like non-administrative (i.e. application developers) to be able to access the jails so that the systems team doesn't have to hand-hold application upgrades, etc. Unfortunatly, our network infrastructure prevents us from allowing ssh access directly to the jail systems without jumping through flaming hoops on the policy routers. The jexec program looks like a good solution execpt it requires root privilidges to run, thus causing us to allow too much access via sudo. Even with the fine-grained control that sudo gives us, the stock jexec causes the user to become root within the jail, and we don't want that either.
jailme is a modified version of jexec. It works by being setuid, so that it can execute the jail_attach() call as root. It then tests the user name and user ID of the calling user to ensure that they are identical inside the jail to the host system. This acts as a sanity check. If the sanity check is successful, the user is assigned the appropriate credentials within the jail.
Because of the UID mapping requirement, I doubt this program will be useful to all jail systems, but I expect that there will be a subset of system configurations that find this program useful for keeping security tight. In theory, there's no reason it couldn't be part of the base system of FreeBSD, as it should not present any security problems on systems not planned to use it.
For now, here's the code: jailme-0.1.tar.bz2
Untar the archive, and execute
make install as root. Usage is identical to jexec.
If your system is not designed to use jailme, you could be creating security issues by installing it.
For example, if you have unpriviledged users on the host operating system, and accidentally create a user within a jail that had the same username and UID as the host system user, you could create an unintentional security breach. A specific example is that jailme does not check to see if the user has the same group membership in both the jail and the host system, so jailme may allow the user more access than intended by giving them more group privilidges within the jail.
I don't believe the risk of such a thing happening is very high. Also, system administrators who are aware of these security concerns can easily audit their systems and ensure they have not created such a situation.
If you believe you know of any way in which jailme presents a security issue, please contact me.
All content copyright Collaborative Fusion, Inc. and Bill Moran. All rights reserved.