diff options
author | Mariusz Zaborski <oshogbo@FreeBSD.org> | 2020-11-18 21:07:08 +0000 |
---|---|---|
committer | Mariusz Zaborski <oshogbo@FreeBSD.org> | 2020-11-18 21:07:08 +0000 |
commit | 05e1e482c7db7a2a3163b1308d36a75f30ccbe6a (patch) | |
tree | e852562ea021be0066fef3a04d0cd7f3a8934a2a /usr.sbin | |
parent | 21fe9441e13f2d4d710adfc5cf81abc0defb649a (diff) | |
download | src-test2-05e1e482c7db7a2a3163b1308d36a75f30ccbe6a.tar.gz src-test2-05e1e482c7db7a2a3163b1308d36a75f30ccbe6a.zip |
jail: introduce per jail suser_enabled setting
The suser_enable sysctl allows to remove a privileged rights from uid 0.
This change introduce per jail setting which allow to make root a
normal user.
Reviewed by: jamie
Previous version reviewed by: kevans, emaste, markj, me_igalic.co
Discussed with: pjd
Differential Revision: https://reviews.freebsd.org/D27128
Notes
Notes:
svn path=/head/; revision=367819
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/jail/jail.8 | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index b43eb765292b..cc3561f03f6a 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 14, 2020 +.Dd November 18, 2020 .Dt JAIL 8 .Os .Sh NAME @@ -587,6 +587,13 @@ and resource limits. The jail root may bind to ports lower than 1024. .It Va allow.unprivileged_proc_debug Unprivileged processes in the jail may use debugging facilities. +.It Va allow.suser +The value of the jail's +.Va security.bsd.suser_enabled +sysctl. +The super-user will be disabled automatically if its parent system has it +disabled. +The super-user is enabled by default. .El .El .Pp @@ -1267,6 +1274,7 @@ Changes to these variables by a jailed process do not affect the host environment, only the jail environment. These variables are .Va kern.securelevel , +.Va security.bsd.suser_enabled , .Va kern.hostname , .Va kern.domainname , .Va kern.hostid , |