[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] savannah.gnu.org: submission of jailuser
From: |
kaworu |
Subject: |
[Savannah-hackers] savannah.gnu.org: submission of jailuser |
Date: |
Thu, 21 Jun 2001 16:24:11 -0700 |
A package was submitted to savannah.gnu.org.
This mail was sent to address@hidden, address@hidden
Evan Sarmiento <address@hidden> described the package as follows:
License: mbsd
Other License:
Package: jailuser
System name: jailuser
This package does NOT want to apply for inclusion in the GNU project
I am going to be working on a set of security modules / extentions for the
FreeBSD operating system called \"jailuser.\" Jail chroots() an enviornment and
applies restrictions to each process forked within, for example, users are not
allowed to access the link layer through the Berkley Packet Filter, or use any
SysV IPC. Users of a jail cannot login to a Jail from console, this proposes a
problem to sys admins who have set up a Jail for employees who need physical
access. Jailuser changes the semantics of jail() in numerous ways. First of
all, there is no chroot(). Users are kept to their own home directory through a
\"kernel-backed restricted shell.\" Basically, it is just conditionals on
system calls like chdir() or VOP_LOOKUP() which prohibit users from listing or
changing out of their home directory. Secondly, \'jailusers\' will have all the
same restrictions as jail, but they can login from console. Most importantly,
you can specify if a user is allowed to run setuid programs. There will be a
conditional in execve() like: if (real user id of calling process != uid of
user) return (EPERM);
Currently, I have a semi working implementation of this. I\'ve created the
jailuser() system call, sysvipc is not allowed, and on I\'ve hacked ps so that
jail user processes show up with +U.
There are no URLs, currently, as I\'m just beginning this process. After I do
substantial work, I plan to write an abstract on it for BSDCon 2002.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-hackers] savannah.gnu.org: submission of jailuser,
kaworu <=