Host system and jail user id's

[nforced]

I notice that users on the jails host system that have same id's as users inside jails can kill jail user processes.

For example let's say I'm logged with user mrX which has uid=1001 on the host system and I have a jail X with user mrY uid=1001, in this case my mrX user can kill any process that mrY started.

I have set security.bsd.see_other_uids=0 which doesn't make any difference, mrX can see/kill all processes started by uid=1001 no matter if they belong to jail or not.
Is this the intended behavior and if so is there a way to prevent this?

 

[kpa]

A jail is not a virtual machine but a glorified chroot(8). All user IDs are handled by their numbers inside the kernel and this means the kernel can't tell apart user mrX from user mrY if both have the same ID number even if the other one is from the jail and the other one isn't. It is also assumed that if you share user IDs between the host and the jail you're intending to have control on the jailed processes from the host using the shared user ID.

 

[nforced]

I see, that makes sense, I just wanted to confirm if that's the case, thanks!

 

[CyberCr33p]

Check sysctl security.bsd.see_jail_proc