# Unprivileged jails



## mod3777 (Mar 27, 2019)

Linux has Unprivileged containers, through which a user can manage containers if admin allows him via a special config file, faking some parts with user subuids and subgids, and others, like create devices, etc… are "bypassed" during the installation process of "tweaked" templates of lxchub (or whatever it is). Then user can manage some sort of device nodes... at least that's how I understand it.


```
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

# Using Bridge
USE_LXC_BRIDGE="true"

# Device nodes
lxc.cgroup.devices.allow = c 116:* rwm
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir

# Network namespaces
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.name = eth1
lxc.network.flags = up
lxc.network.hwaddr = 08:00:27:e5:c3:29
lxc.aa_allow_incomplete = 1

# Include systemwide tweaks
# lxc.include = /etc/lxc/default.conf
```

Now I wonder if FreeBSD jails can do so securely. It looks like, technically jails are more chroot on steroids rather than containers. I personally don't have any limitations with this, but can anyone technically explain the differences of Jails vs (lxc+docker)?


----------



## unitrunker (Mar 27, 2019)

Ask this guy 









						FreeBSD Mastery: Jails
					

CONFINE YOUR SOFTWARE Jails are FreeBSD’s most legendary feature: known to be powerful, tricky to master, and cloaked in decades of dubious lore. Deploying jails calls upon every sysadmin skill you…




					www.tiltedwindmillpress.com


----------



## D-FENS (Mar 27, 2019)

Yes, you can use the following properties in your jail.conf:

```
exec.system_user = "root";
    exec.jail_user = "root";
```
Just read the manual page, it has a quite good explanation. jail(8)


----------



## D-FENS (Mar 27, 2019)

mod3777 said:


> It looks like, technically jails are more chroot on steroids rather than containers. I personally don't have any limitations with this, but can anyone technically explain the differences of Jails vs (lxc+docker)?


Containers are also basically chroot with a bunch of scripts on top of it to help set things up. The differences boil down to implementation details but the principle is the same.

With jails you can implement two strategies - you can have a complete environment (thick jail) with its own init scripts etc, or you can implement a thin jail (ldd+cp method) where you put only the binary you need in the jail. The same can be done with LxC and Docker. It's actually all the same - chroot with code that helps set up the chrooted environment. The rest is implementation details.


----------



## mod3777 (Mar 27, 2019)

roccobaroccoSC said:


> Containers are also basically chroot with a bunch of scripts on top of it to help set things up. The differences boil down to implementation details but the principle is the same.
> 
> With jails you can implement two strategies - you can have a complete environment (thick jail) with its own init scripts etc, or you can implement a thin jail (ldd+cp method) where you put only the binary you need in the jail. The same can be done with LxC and Docker. It's actually all the same - chroot with code that helps set up the chrooted environment. The rest is implementation details.






roccobaroccoSC said:


> Yes, you can use the following properties in your jail.conf:
> 
> ```
> exec.system_user = "root";
> ...



I tried what you said. I think you misunderstood the part `jexec -u`. I was consulting about executing jexec as a local user. Like this:

```
$ lxc-start -n "containerName" -F // Starts the container without root
% jexec buildtank // Prevents it with Operation not permitted
```


```
dext3r@eula47 ~ % cat /etc/jail.conf
# /etc/jail.conf

allow.raw_sockets = 1;
allow.read_msgbuf = 1;
allow.mount = 1;
allow.mount.devfs = 1;

mount.devfs;
allow.mount.nullfs;

# Global settings applied to all jails.
exec.system_user = "root";
exec.jail_user = "root";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;

# The jail definition for talon1
buildtank {
    host.hostname = buildtank;              # Hostname
    path = "/usr/local/jails/buildtank";    # Path to the jail
    interface = "ue0";                      # Network interface name
    ip4.addr = 192.168.100.102;             # IP Address assigned
}
dext3r@eula47 ~ % jexec buildtank
jexec: jail_attach(5): Operation not permitted // eh, lxc allows this as nonroot
```

Umm, still requires root privileges for jexec.


----------



## D-FENS (Mar 27, 2019)

Well, you have to adjust the system and jail users. "root" should be changed to whatever user you want to use instead of root.
Also, you may have to chown the jail directory to that user, I am not sure about this, I have not used it yet. See the man page.


----------



## hukadan (Mar 27, 2019)

You should use sysutils/jailme to accomplish that provided that the username and UID match between the jail and the host system.


----------



## mod3777 (Mar 27, 2019)

I have found a resource that says:


> it's possible to escape a jail given unprivileged access to the host, which is what we'd be doing here. So we need to either decide that's OK (that we trust folks to not *deliberately* wreak havoc, and are using this only to limit accidental damage), or find another way (probably running sshd in jails).



Here: Unprivileged jexec


----------



## mod3777 (Mar 27, 2019)

hukadan said:


> You should use sysutils/jailme to accomplish that provided that the username and UID match between the jail and the host system.



Looks like this is what I wanted.


----------

