Commit Graph

47 Commits

Author SHA1 Message Date
Poul-Henning Kamp
75c1354190 This Implements the mumbled about "Jail" feature.
This is a seriously beefed up chroot kind of thing.  The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact:  "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

   I have no scripts for setting up a jail, don't ask me for them.

   The IP number should be an alias on one of the interfaces.

   mount a /proc in each jail, it will make ps more useable.

   /proc/<pid>/status tells the hostname of the prison for
   jailed processes.

   Quotas are only sensible if you have a mountpoint per prison.

   There are no privisions for stopping resource-hogging.

   Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by:   http://www.rndassociates.com/
Run for almost a year by:       http://www.servetheweb.com/
1999-04-28 11:38:52 +00:00
Poul-Henning Kamp
1c308b817a Change suser_xxx() to suser() where it applies. 1999-04-27 12:21:16 +00:00
Poul-Henning Kamp
f711d546d2 Suser() simplification:
1:
  s/suser/suser_xxx/

2:
  Add new function: suser(struct proc *), prototyped in <sys/proc.h>.

3:
  s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/

The remaining suser_xxx() calls will be scrutinized and dealt with
later.

There may be some unneeded #include <sys/cred.h>, but they are left
as an exercise for Bruce.

More changes to the suser() API will come along with the "jail" code.
1999-04-27 11:18:52 +00:00
Matthew Dillon
8aef171243 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-28 00:57:57 +00:00
Don Lewis
65de0c7a93 getpgid() and getsid() were doing a comparision rather than an assignment,
which is fortunate, because otherwise another bug would allow them to be
used to stomp on the syscall return value of another process.
1998-12-13 07:07:51 +00:00
Peter Wemm
1c5bb3eaa1 add #include <sys/kernel.h> where it's needed by MALLOC_DEFINE() 1998-11-10 09:16:29 +00:00
Don Lewis
643a8daaaf If the session leader dies, s_leader is set to NULL and getsid() may
dereference a NULL pointer, causing a panic.  Instead of following
s_leader to find the session id, store it in the session structure.

Jukka found the following info:

	BTW - I just found what I have been looking for. Std 1003.1
	Part 1: SYSTEM API [C LANGUAGE] section 2.2.2.80 states quite
	explicitly...

	Session lifetime: The period between when a session is created
	and the end of lifetime of all the process groups that remain
	as members of the session.

	So, this quite clearly tells that while there is any single
	process in any process group which is a member of the session,
	the session remains as an independent entity.

Reviewed by:	peter
Submitted by:	"Jukka A. Ukkonen" <jau@jau.tmt.tele.fi>
1998-11-09 15:08:04 +00:00
Doug Rabson
10d4743f6f 64bit fixes: use size_t not u_int for sizes. 1998-06-10 10:28:29 +00:00
Sean Eric Fagan
d5f81602a7 Clear the p_stops field on change of user/group id, unless the correct
flag is set in the p_pfsflags field.  This, essentially, prevents an SUID
proram from hanging after being traced.  (E.g., "truss /usr/bin/rlogin" would
fail, but leave rlogin in a stopevent state.)  Yet another case where procctl
is (hopefully ;)) no longer needed in the general case.

Reviewed by:	bde (thanks bruce :))
1997-12-20 03:05:47 +00:00
Eivind Eklund
5591b823d1 Make COMPAT_43 and COMPAT_SUNOS new-style options. 1997-12-16 17:40:42 +00:00
Poul-Henning Kamp
cb226aaa62 Move the "retval" (3rd) parameter from all syscall functions and put
it in struct proc instead.

This fixes a boatload of compiler warning, and removes a lot of cruft
from the sources.

I have not removed the /*ARGSUSED*/, they will require some looking at.

libkvm, ps and other userland struct proc frobbing programs will need
recompiled.
1997-11-06 19:29:57 +00:00
David Greenman
7aef05003a Killed non-sensical call to splimp/splx in crfree(). 1997-10-17 23:52:56 +00:00
Poul-Henning Kamp
a1c995b626 Last major round (Unless Bruce thinks of somthing :-) of malloc changes.
Distribute all but the most fundamental malloc types.  This time I also
remembered the trick to making things static:  Put "static" in front of
them.

A couple of finer points by:	bde
1997-10-12 20:26:33 +00:00
Peter Wemm
1a5018a043 Implement XPG/SYSV-style getpgid()/getsid() syscalls. getpgid() uses the
same syscall number as NetBSD/OpenBSD.  The getpgid() came from NetBSD
(I think) originally, but it's basically cut/paste/edit from the other
simple get*() syscalls.
1997-08-19 06:00:27 +00:00
Bruce Evans
1fd0b0588f Removed unused #includes. 1997-08-02 14:33:27 +00:00
Peter Wemm
b79c6a8603 Don't incorrectly set P_SUGID in setre[ug]id() for no reason, as noticed
by bde.
Don't return EPERM in setre[ug]id() just because the caller passes in
the current effective id in the second arg (ie: no change), as suggested
by ache.
1997-04-02 17:05:49 +00:00
Peter Wemm
b67cbc6548 Implement code for an OpenBSD-style issetuigid().
This is valueable for library code which needs to be able to find out
whether the current process is or *was* set[ug]id at some point in the
past, and may have a "tainted" execution environment.  This is especially
a problem with the trend to immediately revoke privs at startup and regain
them for critical sections.  One problem with this is that if a cracker
is able to compromise the program while it's still got a saved id, the
cracker can direct the program to regain the privs.  Another problem is
that the user may be able to affect the program in some other way (eg:
setting resolver host aliases) and the library code needs to know when it
should disable these sorts of features.

Reviewed by: ache
Inspired by: OpenBSD (but with a different implementation)
1997-03-31 15:13:33 +00:00
Peter Wemm
a89a5370c5 Do not set the P_SUGID flag in seteuid()/setegid() if nothing has changed.
(for supporting issetugid())

Reviewed by: ache  (as was the previous commit, rev 1.29)
1997-03-31 13:47:00 +00:00
Peter Wemm
229a15f084 Do not set the P_SUGID flag in seteuid()/setegid() if nothing has changed.
(for supporting issetugid())
1997-03-31 13:41:49 +00:00
Peter Wemm
a08f4bf601 Fully implement the clause in Appendix B.4.2.2 from Posix 1003.1
that allows traditional BSD setuid/setgid behavior.

The only visible difference should be that a non-root setuid program
(eg: inn's "rnews" program) that is setuid to news, can completely
"become" uid news. (ie: setuid(geteuid())  This was allowed in
traditional 4.2/4.3BSD and is now "blessed" by Posix as a special
case of "appropriate privilige".

Also, be much more careful with the P_SUGID flag so that we can use it
for issetugid() - only set it if something changed.

Reviewed by: ache
1997-03-31 13:36:46 +00:00
Peter Wemm
8a5d815aa0 Make setgroups(0, xxx) behave as it does on SYSV, namely clear the groups
vector except for the egid in groups[0].  There is a risk that programs
that come from SYSV/Linux that expect this to work and don't check for
error returns may accidently pass root's groups on to child processes.

We now do what is least suprising (to non BSD programs/programmers) in
this scenario, and nothing is changed for programs written with BSD groups
rules in mind.

Reviewed by: ache
1997-03-31 13:21:37 +00:00
Andrey A. Chernov
53490b7634 Oops, fix typo. 1997-03-03 23:02:43 +00:00
Andrey A. Chernov
30cf3ac460 Don't copy more than MAXLOGNAME bytes in getlogin() syscall,
it is stricter than padded s_login size check was there.
1997-03-03 22:46:16 +00:00
Andrey A. Chernov
964ca0caee Use MAXLOGNAME for stricter size check in setlogin() syscall instead of
sizeof of padded s_login array
1997-03-03 10:15:48 +00:00
Peter Wemm
6875d25465 Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
1997-02-22 09:48:43 +00:00
David Nugent
184989c210 Fix off by one error in setlogin() syscall.
Don't overwrite session login unless the call is going to succeed.
1997-02-10 06:18:20 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Bruce Evans
78f64bccfd Fixed setpgid(). Negative pgids were accepted.
Found by:	NIST-PCTS
1996-12-19 13:28:47 +00:00
Bruce Evans
c957118ef9 Added #include of <unistd.h> so that there is some chance that
_POSIX_SAVED_IDS is defined.  This feature was broken for a day
or two.
1996-09-03 12:52:58 +00:00
Andrey A. Chernov
3f24666649 Conditionalize POSIX saved ids code on _POSIX_SAVED_IDS define 1996-09-01 22:15:54 +00:00
David Greenman
cd73303c45 Fix a panic caused by (proc)->p_session being dereferenced for a process
that was exiting.
1996-05-30 01:21:50 +00:00
Bruce Evans
d2d3e8751c Included <sys/sysproto.h> to get central declarations for syscall args
structs and prototypes for syscalls.

Ifdefed duplicated decentralized declarations of args structs.  It's
convenient to have this visible but they are hard to maintain.  Some
are already different from the central declarations.  4.4lite2 puts
them in comments in the function headers but I wanted to avoid the
large changes for that.
1995-11-12 06:43:28 +00:00
Bruce Evans
82970b81a9 Fixed type of setsid(). It used used the bogus `getsid_args'. 1995-11-11 06:53:08 +00:00
David Greenman
3956a1702c Return EINVAL if the number of groups is less than 1 in setgroups().
Obtained from:	4.4BSD-Lite2
1995-11-04 10:50:55 +00:00
Steven Wallace
ad7507e248 Remove prototype definitions from <sys/systm.h>.
Prototypes are located in <sys/sysproto.h>.

Add appropriate #include <sys/sysproto.h> to files that needed
protos from systm.h.

Add structure definitions to appropriate files that relied on sys/systm.h,
right before system call definition, as in the rest of the kernel source.

In kern_prot.c, instead of using the dummy structure "args", create
individual dummy structures named <syscall>_args.  This makes
life easier for prototype generation.
1995-10-08 00:06:22 +00:00
Andrey A. Chernov
00999cd623 Optimized and simplified version of setreuid/gid
Fixed: lack of crcopy in certain conditions, lack
of setting sv[ug]id in certain conditions. Fixes non-critical.
1995-06-15 22:32:03 +00:00
Andrey A. Chernov
2c3be6c34e set[ug]id(): call suser() only when neccesarry
Submitted by: bde
1995-04-29 11:46:15 +00:00
Andrey A. Chernov
d3cdb93dd8 Implement POSIX SAVED_IDS for setuid/setgid 1995-04-28 18:17:29 +00:00
Andrey A. Chernov
611d721e70 setre*(): simplify return scheme, pointed by Bruce 1995-04-28 17:00:27 +00:00
Andrey A. Chernov
4bc8f31ff3 Implement setreuid/setregid according to SunOS manpage 1995-04-27 19:23:24 +00:00
Andrey A. Chernov
e876c909da Make setreuid/setregid active syscalls 1995-04-23 12:22:06 +00:00
Bruce Evans
453de7da68 Correct the type of the `acflag' arg to suser(). 1995-04-23 08:31:02 +00:00
Søren Schmidt
6fc4a1ae38 Added ifdef COMPAT_IBCS2 around setre[ug]id. 1994-10-13 20:59:49 +00:00
Poul-Henning Kamp
bb56ec4a05 While in the real world, I had a bad case of being swapped out for a lot of
cycles.  While waiting there I added a lot of the extra ()'s I have, (I have
never used LISP to any extent).  So I compiled the kernel with -Wall and
shut up a lot of "suggest you add ()'s", removed a bunch of unused var's
and added a couple of declarations here and there.  Having a lap-top is
highly recommended.  My kernel still runs, yell at me if you kernel breaks.
1994-09-25 19:34:02 +00:00
David Greenman
3c4dd3568f Added $Id$ 1994-08-02 07:55:43 +00:00
Rodney W. Grimes
26f9a76710 The big 4.4BSD Lite to FreeBSD 2.0.0 (Development) patch.
Reviewed by:	Rodney W. Grimes
Submitted by:	John Dyson and David Greenman
1994-05-25 09:21:21 +00:00
Rodney W. Grimes
df8bae1de4 BSD 4.4 Lite Kernel Sources 1994-05-24 10:09:53 +00:00