As far as I can tell, yes... I have several jails running within my master environment and there are quite a few ways for a user in the jail to realize that they're actually in the jail.

ro...@dolza.p11.com:/usr/ports# mount /dev/ad0s1a on / (ufs, local) /dev/ad0s1f on /usr (ufs, local, with quotas) /dev/ad0s1e on /var (ufs, local) procfs on /proc (procfs, local) procfs on /usr/jail/dolza.p11.com/proc (procfs, local) procfs on /usr/jail/exedore.p11.com/proc (procfs, local) procfs on /usr/jail/breetai.p11.com/proc (procfs, local)

ps being another one; note the 'J': ro...@exedore.p11.com:/etc# ps PID TT STAT TIME COMMAND 68462 p9- IJ 0:00.01 /bin/sh /usr/local/bin/safe_mysqld --user=mysql 33488 pc R+J 0:00.00 ps 58200 pc SJ 0:00.04 -su (bash)

Although there are ways to "hack" your jail to fake users into believing they are acutally on a real environment. As with the above example, it's rather trivial to recompile ps by removing the switch for the 'J' flag: ro...@dolza.p11.com:/usr/ports# ps PID TT STAT TIME COMMAND 32266 p7 I+ 0:00.02 -su (bash) 63606 p8- I 0:00.01 /bin/sh /usr/local/bin/safe_mysqld --user=mysql 33487 pd R+ 0:00.00 ps 58217 pd S 0:00.11 -su (bash)

But there are too many little instances that I seem to overlook. Does anyone know of a project (freshmeat?) out there that does this? Or am I just unusual for wanting users to believe they're not in a jail?

To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message