[Savannah-hackers] savannah.gnu.org: submission of jailuser

[kaworu]

A package was submitted to savannah.gnu.org.
This mail was sent to address@hidden, address@hidden


Evan Sarmiento <address@hidden> described the package as follows:
License: mbsd
Other License: 
Package: jailuser
System name: jailuser
This package does NOT want to apply for inclusion in the GNU project

I am going to be working on a set of security modules / extentions for the 
FreeBSD operating system called \"jailuser.\" Jail chroots() an enviornment and 
applies restrictions to each process forked within, for example, users are not 
allowed to access the link layer through the Berkley Packet Filter, or use any 
SysV IPC. Users of a jail cannot login to a Jail from console, this proposes a 
problem to sys admins who have set up a Jail for employees who need physical 
access. Jailuser changes the semantics of jail() in numerous ways. First of 
all, there is no chroot(). Users are kept to their own home directory through a 
\"kernel-backed restricted shell.\" Basically, it is just conditionals on 
system calls like chdir() or VOP_LOOKUP() which prohibit users from listing or 
changing out of their home directory. Secondly, \'jailusers\' will have all the 
same restrictions as jail, but they can login from console. Most importantly, 
you can specify if a user is allowed to run setuid programs. There will be a 
conditional in execve() like: if (real user id of calling process != uid of 
user) return (EPERM);

Currently, I have a semi working implementation of this. I\'ve created the 
jailuser() system call, sysvipc is not allowed, and on I\'ve hacked ps so that 
jail user processes show up with +U.

There are no URLs, currently, as I\'m just beginning this process. After I do 
substantial work, I plan to write an abstract on it for BSDCon 2002.