From owner-freebsd-security@FreeBSD.ORG Sun May 8 02:46:07 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F23B106566C for ; Sun, 8 May 2011 02:46:07 +0000 (UTC) (envelope-from edhoprima@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id B9D528FC08 for ; Sun, 8 May 2011 02:46:06 +0000 (UTC) Received: by bwz12 with SMTP id 12so4866679bwz.13 for ; Sat, 07 May 2011 19:46:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=8/phJSqLTkMrdSAv+3gAWEy44o20qXNnuPg97vrvqZQ=; b=Mf4t5h2NI4PVmAgMjXcRSM0sQM/h+neXBc4Kn4KzJ8S/tSvIocnxrxfWFjsc0or/1g Stf1p4obq/MUDIgJ1BcevCaELGPnsAiJve2SQfegPYQvz8zIoovPlX+5j6HXOZyHY6CZ Uv+6DEBriLYm+2ZtlSsCS5kvX5TtKBHrb1CPU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=Kckwwz34ssd43dxFpLZRneaKI0H4i+5JnHh6b+2pOmIAQMQXQ9zgTztB8y04IfMD/h KkvLbC91t6LhQ+YELUPboNttwigI+PNsVpniP1lpE4il6SCk/RWb1S6zRCCqh0AhbblL 9UrkkPwtyaWmqbX5ItPNWXTt340Mu9JZxDcpU= Received: by 10.204.130.16 with SMTP id q16mr1941362bks.192.1304820948127; Sat, 07 May 2011 19:15:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.204.68.199 with HTTP; Sat, 7 May 2011 19:15:28 -0700 (PDT) In-Reply-To: <201105072231.p47MVktY035491@catflap.bishopston.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> From: Edho P Arief Date: Sun, 8 May 2011 09:15:28 +0700 Message-ID: To: Jamie Landeg Jones Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org, feld@feld.me, utisoft@gmail.com Subject: =?utf-8?q?Re=3A_Rooting_FreeBSD_=2C_Privilege_Escalation_using_J?= =?utf-8?b?YWlscyAoUMOvwr/CvXR1cik=?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 02:46:07 -0000 On Sun, May 8, 2011 at 5:31 AM, Jamie Landeg Jones wrote: >> All the same, I've sent a PR [1] with some doc patches to make people >> more aware of this -- fulfilling my promise of 2+ years ago :S >> >> Thanks! >> >> Chris >> >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 > > Um. Some problems here. > > A jail won't work for not-root users if the jail root directory is chmod 700 - although > there is obviously a 'chroot' running withing the jail, the jailed user still needs > to have read permission from the hosts / -- chmod 700 therefore locks all non-root > users out. > It's weird - I don't remember having such problem after setting jails' root directory permission to 700. I don't have the system anymore so I can't verify it just yet. From owner-freebsd-security@FreeBSD.ORG Sun May 8 07:52:10 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4A27106564A for ; Sun, 8 May 2011 07:52:10 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7964B8FC12 for ; Sun, 8 May 2011 07:52:10 +0000 (UTC) Received: by iyj12 with SMTP id 12so5172768iyj.13 for ; Sun, 08 May 2011 00:52:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=9rn0AOmLnOTkmZ01qZ/wIJy2pzN+mQopEdhmsF2oSiI=; b=PJI6CWeIRXmRyXD5YYBTIjBG14+6hCsbtOc8s27+lr+5IPlSAKSMNcfus8UvPvqIZ/ 5ctMrkwuHbsGRpodQvn/sM0jfne30WTZzDxQ8q4f8s/Jst4AF/EOuFUvxNL502ErW2af hDtn/gACyyC6MWxVCwlLASPy/zUxhKeJqd2KQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=Mzn5vuzzUsONKcuOb65Zt04sNBEMcbXVKD/WzbbHo1aNDRQ1PyF9z5qm7lC3tLd86N SUogGu0KBY+AcjM9g+q4as6E/7bluDooj8cPfxNC43oBRGZfRpFAhd4HYfHMKzp6D8Dh GuxOTYcTZzaCBYeuxgl5F2Sa0PwvIvapHsdoY= Received: by 10.42.168.9 with SMTP id u9mr2783332icy.214.1304841129083; Sun, 08 May 2011 00:52:09 -0700 (PDT) Received: from DataIX.net (adsl-99-190-84-116.dsl.klmzmi.sbcglobal.net [99.190.84.116]) by mx.google.com with ESMTPS id y10sm2098825iba.12.2011.05.08.00.52.07 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 08 May 2011 00:52:08 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p487q4RC067017 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 8 May 2011 03:52:05 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p487q3VI067016; Sun, 8 May 2011 03:52:03 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sun, 8 May 2011 03:52:03 -0400 From: Jason Hellenthal To: Edho P Arief Message-ID: <20110508075203.GA61754@DataIX.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline In-Reply-To: X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: Jamie Landeg Jones , freebsd-security@freebsd.org, feld@feld.me, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 07:52:10 -0000 --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Edho, On Sun, May 08, 2011 at 09:15:28AM +0700, Edho P Arief wrote: > On Sun, May 8, 2011 at 5:31 AM, Jamie Landeg Jones = wrote: > >> All the same, I've sent a PR [1] with some doc patches to make people > >> more aware of this -- fulfilling my promise of 2+ years ago :S > >> > >> Thanks! > >> > >> Chris > >> > >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=3D156853 > > > > Um. Some problems here. > > > > A jail won't work for not-root users if the jail root directory is chmo= d 700 - although > > there is obviously a 'chroot' running withing the jail, the jailed user= still needs > > to have read permission from the hosts / -- chmod 700 therefore locks a= ll non-root > > users out. > > >=20 > It's weird - I don't remember having such problem after setting jails' > root directory permission to 700. I don't have the system anymore so I > can't verify it just yet. It should also be noted here that the jailed root user also has permission= =20 to chmod(1) '/' to anything he or she wants unless you have taken=20 precaution to not allow that. I would reccoment storing your jails two=20 levels deep into a directory and chmod(1) 700 the first level to prevent=20 access from the host and from the jailed root user changing the perms. --=20 Regards, (jhell) Jason Hellenthal --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNxkuiAAoJEJBXh4mJ2FR+/1wH/2jhRwdIdWNWL4znJnN0j2H7 eOEeCZHzs80S1v4lEug+6Ka/XLU0ag4N1dDCOkU3FzP5tptM9pCx6LHjsJa57pkv nJZWAz5e9khRKzv3F55wYBHlY5sD9zb64Tf2NpeTLvT+T4C3MvLY3ju2jVlShQcN ZsFeSyvMb2t/t7ADWP4x/fyWvQDs05edPyDMR3ipKUeje5DIV5tL/DAVg0cBefix 3PINhW17rxXrWsvyxwTrshtHfwYLzuUoF0Lnj7KUKw1gE7n7H5eobmllMvvzZZ/7 lmrRCjdWiMLTdKgqPxPMSX5lzjwnCoaYVC/+Lw4o5sWL4/lqYD81vLXzx+6OFA0= =ZjGb -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- From owner-freebsd-security@FreeBSD.ORG Sun May 8 07:56:16 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B84371065674 for ; Sun, 8 May 2011 07:56:16 +0000 (UTC) (envelope-from edhoprima@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 45CA28FC17 for ; Sun, 8 May 2011 07:56:16 +0000 (UTC) Received: by bwz12 with SMTP id 12so4961807bwz.13 for ; Sun, 08 May 2011 00:56:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=IRljVdx5uwqA9XfE0dVg2Gwmubs9Qckr8F5DdoRLbHI=; b=ROngzvptT2eePbJJQ4xNONZJWOU2+bQCId2/4qkRS74UefYmE8rmoQt9Ij/LO1XTAK 3Q1twQuSty6GYtIgW9s8R77auPmb+ZCAkJFjtKMut5gkMthUYq1hKavnwEEIYvt+wobN Wj+1qht1HTlpYfW8madMYJ3c/ofO833wH3BU8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=BfYkb6OKZZRQj3kTh9ZRR8SAZj1KZpZfGEjvO8MmTC+lLLvb3QdHJBbt5Rfg87tb9a zbxEWPEL5RAs7Pw5Z4fv5exc2eAW3eAORUU/RjBTnK0dnBw9DcWPh0jjaorN4Hti3QpJ YrN8otnYl0t8WuHbLhv8VF22Ev24V1ch9ffF4= Received: by 10.204.74.7 with SMTP id s7mr4773838bkj.57.1304841375169; Sun, 08 May 2011 00:56:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.204.68.199 with HTTP; Sun, 8 May 2011 00:55:55 -0700 (PDT) In-Reply-To: <20110508075203.GA61754@DataIX.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> From: Edho P Arief Date: Sun, 8 May 2011 14:55:55 +0700 Message-ID: To: Jason Hellenthal Content-Type: text/plain; charset=UTF-8 Cc: Jamie Landeg Jones , freebsd-security@freebsd.org, feld@feld.me, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 07:56:16 -0000 On Sun, May 8, 2011 at 2:52 PM, Jason Hellenthal wrote: > > Edho, > > It should also be noted here that the jailed root user also has permission > to chmod(1) '/' to anything he or she wants unless you have taken > precaution to not allow that. I would reccoment storing your jails two > levels deep into a directory and chmod(1) 700 the first level to prevent > access from the host and from the jailed root user changing the perms. > I indeed changed the permission above the jail's root. I usually make it like this: /jails/jailname/root and I set 700 on /jails/jailname. It's been a long time but as I said before I don't remember encountering permission problem in the jail. Or perhaps I remembered it wrong. From owner-freebsd-security@FreeBSD.ORG Sun May 8 08:58:36 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C8C061065672 for ; Sun, 8 May 2011 08:58:36 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4C41A8FC0A for ; Sun, 8 May 2011 08:58:35 +0000 (UTC) Received: by bwz12 with SMTP id 12so4983744bwz.13 for ; Sun, 08 May 2011 01:58:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=Nnv+fkUb5DenOuqlQ7J4Hu6q5jCVXBgxoxJF4gmvN/M=; b=DwyhVKjM6XT723FP2Z5+keAlcVgBfocXrOmX5qC3ldASXKY/NkuFyCVZ/S4txQTOBf Kx2BGlzZcdarNyHpBRyXWd2AX1mfggug9JAX/94sNgB8qU6jTdWVTC+EyKFGifZzbNju /PlyjuDh82fQ5mLtnabWJdJqAYusLvJ65k29g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; b=qqvwIDMC0MOcJz3jUu3XelT33RL0+Zw32wA8f30OER0oRieLdfYMzdUtUwwCAUIwaB TErWGpg3Cz8i4pX9jsEY3fqbeD2efRFnKMqmZmmmT9QjR9eLc+oK3VxwEu5Zgfm2gTt1 +iMq5CMZZkLw0QAO9BAHqpCyvqMSbHqm+yOkQ= Received: by 10.204.74.11 with SMTP id s11mr1269857bkj.43.1304845115115; Sun, 08 May 2011 01:58:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.204.42.21 with HTTP; Sun, 8 May 2011 01:58:05 -0700 (PDT) In-Reply-To: <20110508075203.GA61754@DataIX.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> From: Chris Rees Date: Sun, 8 May 2011 09:58:05 +0100 Message-ID: To: Jason Hellenthal Content-Type: text/plain; charset=ISO-8859-1 Cc: Jamie Landeg Jones , freebsd-security@freebsd.org, feld@feld.me, Edho P Arief Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 08:58:36 -0000 On 8 May 2011 08:52, Jason Hellenthal wrote: > > Edho, > > On Sun, May 08, 2011 at 09:15:28AM +0700, Edho P Arief wrote: >> On Sun, May 8, 2011 at 5:31 AM, Jamie Landeg Jones wrote: >> >> All the same, I've sent a PR [1] with some doc patches to make people >> >> more aware of this -- fulfilling my promise of 2+ years ago :S >> >> >> >> Thanks! >> >> >> >> Chris >> >> >> >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 >> > >> > Um. Some problems here. >> > >> > A jail won't work for not-root users if the jail root directory is chmod 700 - although >> > there is obviously a 'chroot' running withing the jail, the jailed user still needs >> > to have read permission from the hosts / -- chmod 700 therefore locks all non-root >> > users out. >> > >> >> It's weird - I don't remember having such problem after setting jails' >> root directory permission to 700. I don't have the system anymore so I >> can't verify it just yet. > > It should also be noted here that the jailed root user also has permission > to chmod(1) '/' to anything he or she wants unless you have taken > precaution to not allow that. I would reccoment storing your jails two > levels deep into a directory and chmod(1) 700 the first level to prevent > access from the host and from the jailed root user changing the perms. > Oops, you're absolutely right. I've updated the docs patches (links at [1]), though unfortunately it means it's a little less elegant; I'm reluctant to suggest # chmod 0700 $D/.. in case someone sets $D to /usr/local/myjail or similar... Chris [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/156853 From owner-freebsd-security@FreeBSD.ORG Sun May 8 08:59:26 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD455106566B for ; Sun, 8 May 2011 08:59:26 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 37CFB8FC16 for ; Sun, 8 May 2011 08:59:25 +0000 (UTC) Received: by bwz12 with SMTP id 12so4984013bwz.13 for ; Sun, 08 May 2011 01:59:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=Xn8/91hT7eEyPm+G77P6jZ/Oex9la2nEtHhMf+N/cts=; b=Q/LcONtWIFvf71DGFKaOhCa4nB0Fc52Mut2VC2NIIWL3GI5557dzwOuXXzN39fWA21 1RMvAAZlraIBEXdb8jsgYJ2wBM6vr2TrVs1uSKUqdboj5IGBve+jL/8FgY4EL4VQ7I0l 2G8r00GSXoTW9j9EX0IuYvllMCNckUBCOmiRo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; b=FNJxiovknCAUZAS3npRXNwL89ovJlW8JAkZaO6wcMT91sUPUUwmBgZG4946cg/SrdV hwT8vQolanVdp6XfivO85oGTPcD6r13eTxiEVG57FnF986idReMcWiJnmzzHrA8pGRU1 86aQRU+hLTc5fHJla7F5rqeIU48V8gwl22q5o= Received: by 10.204.41.16 with SMTP id m16mr1982751bke.151.1304845165199; Sun, 08 May 2011 01:59:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.204.42.21 with HTTP; Sun, 8 May 2011 01:58:55 -0700 (PDT) In-Reply-To: <201105072231.p47MVktY035491@catflap.bishopston.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> From: Chris Rees Date: Sun, 8 May 2011 09:58:55 +0100 Message-ID: To: Jamie Landeg Jones Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, feld@feld.me Subject: =?iso-8859-1?q?Re=3A_Rooting_FreeBSD_=2C_Privilege_Escalation_us?= =?iso-8859-1?q?ing_Jails_=28P=EF=BF=BDtur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 08:59:26 -0000 On 7 May 2011 23:31, Jamie Landeg Jones wrote: >> All the same, I've sent a PR [1] with some doc patches to make people >> more aware of this -- fulfilling my promise of 2+ years ago :S >> >> Thanks! >> >> Chris >> >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=3D156853 > > Um. Some problems here. > > A jail won't work for not-root users if the jail root directory is chmod = 700 - although > there is obviously a 'chroot' running withing the jail, the jailed user s= till needs > to have read permission from the hosts / -- chmod 700 therefore locks all= non-root > users out. > > I would suggest you add to the docs about the UID clash problem - untrust= ed users on the host > shouldn't have the same UID/GID as jailed users, as they will have access= to their files. > > And of course, the bit mentioned earlier where an untrusted jail user wit= h jail-root access > should NEVER have access to the host!o > > Among other things, my password file in both jails and the host has this = line: > > # 8000 to 9999 =A0- =A0Reserved for use within jails - do not use in main= host! > Thanks! Updated the patches about chmodding (d'oh), and I'll send another later about UIDs. Chris From owner-freebsd-security@FreeBSD.ORG Sun May 8 17:39:46 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56D5F1065670 for ; Sun, 8 May 2011 17:39:46 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 08B9A8FC12 for ; Sun, 8 May 2011 17:39:45 +0000 (UTC) Received: by iwn33 with SMTP id 33so5384511iwn.13 for ; Sun, 08 May 2011 10:39:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=PxoJg56HiR5/7SLZQsX86qt8ftYuCFGax2fmEnCKIFg=; b=eQc2FwVebYlphp6BPoEtzIcDdckEP2gT1j/DmuHS2Jnbfstn5VVQdKtmOjYUDtUttB xtRx8uoyp5x3TIRYp9bfMtQZItpEseON3QLixmJUO92+2YjQzv6deV0FNPYE5K0C9IbO 2ZiUM5XwpsnBIugot7HJAmuAsQlq4dRaeWVjc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=D4bFYHjfmtKuMK7+mJ0kiaP2nAizO+VNiwdzS7n/m71+4bHen4Z+GXYyRyR30KCc8Q fJyKC3kbvBBt9y39ofA9aGw3weH3Y1lbJax2iJqNvrfNtasE0zTSm74uFwFpuJZcbZsQ JkNh2t9E+969mv3sSxrBj2VSgcpEBDeebXV5U= Received: by 10.42.108.137 with SMTP id h9mr5425446icp.112.1304876383982; Sun, 08 May 2011 10:39:43 -0700 (PDT) Received: from DataIX.net (adsl-99-190-84-116.dsl.klmzmi.sbcglobal.net [99.190.84.116]) by mx.google.com with ESMTPS id f7sm2265256ibn.41.2011.05.08.10.39.41 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 08 May 2011 10:39:42 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p48HdZ05002989 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 8 May 2011 13:39:35 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p48HdVCe002988; Sun, 8 May 2011 13:39:31 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sun, 8 May 2011 13:39:31 -0400 From: Jason Hellenthal To: Chris Rees Message-ID: <20110508173931.GA2757@DataIX.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline In-Reply-To: X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: Jamie Landeg Jones , freebsd-security@freebsd.org, feld@feld.me, Edho P Arief Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 17:39:46 -0000 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Chris, On Sun, May 08, 2011 at 09:58:05AM +0100, Chris Rees wrote: > On 8 May 2011 08:52, Jason Hellenthal wrote: > > > > Edho, > > > > On Sun, May 08, 2011 at 09:15:28AM +0700, Edho P Arief wrote: > >> On Sun, May 8, 2011 at 5:31 AM, Jamie Landeg Jones wrote: > >> >> All the same, I've sent a PR [1] with some doc patches to make peop= le > >> >> more aware of this -- fulfilling my promise of 2+ years ago :S > >> >> > >> >> Thanks! > >> >> > >> >> Chris > >> >> > >> >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=3D156853 > >> > > >> > Um. Some problems here. > >> > > >> > A jail won't work for not-root users if the jail root directory is c= hmod 700 - although > >> > there is obviously a 'chroot' running withing the jail, the jailed u= ser still needs > >> > to have read permission from the hosts / -- chmod 700 therefore lock= s all non-root > >> > users out. > >> > > >> > >> It's weird - I don't remember having such problem after setting jails' > >> root directory permission to 700. I don't have the system anymore so I > >> can't verify it just yet. > > > > It should also be noted here that the jailed root user also has permiss= ion > > to chmod(1) '/' to anything he or she wants unless you have taken > > precaution to not allow that. I would reccoment storing your jails two > > levels deep into a directory and chmod(1) 700 the first level to prevent > > access from the host and from the jailed root user changing the perms. > > >=20 > Oops, you're absolutely right. >=20 > I've updated the docs patches (links at [1]), though unfortunately it > means it's a little less elegant; I'm reluctant to suggest >=20 > # chmod 0700 $D/.. >=20 Haha I would strongly suggest against that ;) Not knowing where people are= =20 keeping the jails would impose quite a bit of harm if they did have them=20 in places like that or /var/jailname. Unfortunately in this case we can=20 only update the docs and hope that the user will keep up-to-date with=20 reading them. Only other possibility I see is ensuring that noone inside the jail can=20 chmod or do anyting on / but this may actually be quite tough. > in case someone sets $D to /usr/local/myjail or similar... >=20 > Chris >=20 > [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=3Ddocs/156853 --=20 Regards, (jhell) Jason Hellenthal --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNxtVSAAoJEJBXh4mJ2FR+sB4H/3PoFa0YLpO+TWZUvvtq6lpB EEuwDlGgdgy9kr49LzHX8rAM/cMpOcVF2J2+oODHJDLFLHX+osyVSgkyWUp98BkP znPsN16dEOEChjQPL6oNY2JkOZMFLUZnTq1oAq0/pplc4xXQyE4oyidqVm6Qhp16 2G3gk+8aDOHYOFQxzt81Lusi5VEOxobkWI1CqB/Xakw+z43UaOD/wkY7T4tlJjKf CNKQToRzjAUxyPNVa1kYCGdzPQTowvvgvKTCWL6naO/9QkBAYEIexru2YdP1JdZS 1MNo/ZzPUGjQJrnfBfThYvUI5G1uOYRPCBgw46+RG4bSvSpA+Bf6SwOKlTGzxkY= =OWgi -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- From owner-freebsd-security@FreeBSD.ORG Mon May 9 11:04:20 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B664106564A for ; Mon, 9 May 2011 11:04:20 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7EBD88FC14 for ; Mon, 9 May 2011 11:04:19 +0000 (UTC) Received: by bwz12 with SMTP id 12so5749644bwz.13 for ; Mon, 09 May 2011 04:04:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=71HnWk++nHnRr4f8xVNivZobX+hN0zYFpF7ljIZP99E=; b=NpSNxXUoqCTkTwu3JZGOM32PfVo7xSual+lNyyfUJ1dGkc0g4aSo8/9QUNBBRJ1xra Giy72Bycefcma/NaRa69uh0fR3Zguf6IBeTNVdtIoilcfSwUc606rUlB0T9OVhSkYJYV WYhOoodZV3wyZIAY8K2Hg5pWpP4zUmSANIkKA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; b=pr/9dNRgmCxBe02UGUayVnLFliS1A3f5ezYZD8pVOK6VN5pwcMj3OWn4Y5sY9URKqO h3cFUXE15vE9pmg0qhpuRD6jPodqYx3UdAknU81geIKcoRSqowwbl4h/ii+ziiG347Ok SyyylQmGpUyXC3GpI9Ewn14jhi3BZP7a/oroI= Received: by 10.204.41.16 with SMTP id m16mr3009041bke.151.1304939058094; Mon, 09 May 2011 04:04:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.204.42.21 with HTTP; Mon, 9 May 2011 04:03:48 -0700 (PDT) In-Reply-To: <86fwoof8lj.fsf@ds4.des.no> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> <20110508173931.GA2757@DataIX.net> <86fwoof8lj.fsf@ds4.des.no> From: Chris Rees Date: Mon, 9 May 2011 12:03:48 +0100 Message-ID: To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Jamie Landeg Jones , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 11:04:20 -0000 2011/5/9 Dag-Erling Sm=F8rgrav : > Jason Hellenthal writes: >> Chris Rees writes: >> > I've updated the docs patches (links at [1]), though unfortunately it >> > means it's a little less elegant; I'm reluctant to suggest >> > >> > # chmod 0700 $D/.. >> Haha I would strongly suggest against that ;) Not knowing where people a= re >> keeping the jails would impose quite a bit of harm if they did have them >> in places like that or /var/jailname. > > What do you mean, "not knowing where people are keeping the jails"? > Only root can start a jail, so there is no risk of anyone starting a > hidden jail somewhere. =A0Besides, jls(8) lists the root path of each > jail. >From a docs point of view, if I were to type: # setenv D /usr/local/myjail and then: # chmod 0700 $D/.. then I'd end up chmod'ing 700 /usr/local This is the point I'm making, I can't recommend in the docs that one chmods $D/.. because we (the docs writers) don't know what the user (the reader) is going to set $D to. Chris From owner-freebsd-security@FreeBSD.ORG Mon May 9 11:09:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD769106568F for ; Mon, 9 May 2011 11:09:23 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 69F6E8FC13 for ; Mon, 9 May 2011 11:09:23 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id ADD411FFC58; Mon, 9 May 2011 10:53:44 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 7498D844DF; Mon, 9 May 2011 12:53:44 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jason Hellenthal References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> <20110508173931.GA2757@DataIX.net> Date: Mon, 09 May 2011 12:53:44 +0200 In-Reply-To: <20110508173931.GA2757@DataIX.net> (Jason Hellenthal's message of "Sun, 8 May 2011 13:39:31 -0400") Message-ID: <86fwoof8lj.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jamie Landeg Jones , freebsd-security@freebsd.org, feld@feld.me, Edho P Arief , Chris Rees Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 X-List-Received-Date: Mon, 09 May 2011 11:09:23 -0000 Jason Hellenthal writes: > Chris Rees writes: > > I've updated the docs patches (links at [1]), though unfortunately it > > means it's a little less elegant; I'm reluctant to suggest > >=20 > > # chmod 0700 $D/.. > Haha I would strongly suggest against that ;) Not knowing where people ar= e=20 > keeping the jails would impose quite a bit of harm if they did have them= =20 > in places like that or /var/jailname. What do you mean, "not knowing where people are keeping the jails"? Only root can start a jail, so there is no risk of anyone starting a hidden jail somewhere. Besides, jls(8) lists the root path of each jail. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon May 9 12:34:16 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D4AB106564A for ; Mon, 9 May 2011 12:34:16 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 18C008FC08 for ; Mon, 9 May 2011 12:34:15 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id EE41D1FFC58; Mon, 9 May 2011 12:34:14 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id B9FEE844DF; Mon, 9 May 2011 14:34:14 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: utisoft@gmail.com References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> <20110508173931.GA2757@DataIX.net> <86fwoof8lj.fsf@ds4.des.no> Date: Mon, 09 May 2011 14:34:14 +0200 In-Reply-To: (Chris Rees's message of "Mon, 9 May 2011 12:03:48 +0100") Message-ID: <86zkmwdpdl.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jamie Landeg Jones , freebsd-security@freebsd.org, feld@feld.me, Edho P Arief Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 12:34:16 -0000 Chris Rees writes: > This is the point I'm making, I can't recommend in the docs that one > chmods $D/.. because we (the docs writers) don't know what the user > (the reader) is going to set $D to. Ah, OK. But you could provide an example where $D is /var/jail, or something along those lines. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon May 9 14:49:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D43E3106564A for ; Mon, 9 May 2011 14:49:55 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 834EB8FC0C for ; Mon, 9 May 2011 14:49:55 +0000 (UTC) Received: by iyj12 with SMTP id 12so6249508iyj.13 for ; Mon, 09 May 2011 07:49:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=JV1gyWmaoDJTC7Tu0+Dqm8hlB9DJJF0+cdax9xfb5QQ=; b=MmKPq2PG8i8OGpeaaiSEjb9mIdjpaUijmBSO7okDzVGPWOQ82pVO0UT6HPT9GCfdcw siGD1vvr7irpr4ToCPgNBAIu50iFI7l6f8tBi9Ru0WkKBq2ZtW68jlhwBmQNS1a/U78Q CRnn7dxrSHHNoWyjSLdb2HvGcir6waQj7dXmM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=vVf58iGvT47YYPu388CfQ1uXjiE4KcPaUpJEGvkIxkaBk2AHVu+VsAmTeGHs+U24M6 uI5SIYTnTyhuBe20wx7aVdJov30yfDjd6674+8y60xkRv/vGi4ud7Qrpt9Woiulwt/2i 3iutrniI/CLaKhq0HPJv06NDTONW2I6D5svIQ= Received: by 10.42.145.130 with SMTP id f2mr6615045icv.325.1304952594389; Mon, 09 May 2011 07:49:54 -0700 (PDT) Received: from DataIX.net (adsl-99-190-84-116.dsl.klmzmi.sbcglobal.net [99.190.84.116]) by mx.google.com with ESMTPS id xe15sm2451151icb.8.2011.05.09.07.49.52 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 09 May 2011 07:49:53 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p49EnnTZ078825 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 May 2011 10:49:50 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p49EnmYZ078824; Mon, 9 May 2011 10:49:48 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Mon, 9 May 2011 10:49:47 -0400 From: Jason Hellenthal To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Message-ID: <20110509144947.GB77054@DataIX.net> References: <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> <20110508173931.GA2757@DataIX.net> <86fwoof8lj.fsf@ds4.des.no> <86zkmwdpdl.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz" Content-Disposition: inline In-Reply-To: <86zkmwdpdl.fsf@ds4.des.no> X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: Jamie Landeg Jones , freebsd-security@freebsd.org, feld@feld.me, Edho P Arief , utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 14:49:56 -0000 --0eh6TmSyL6TZE2Uz Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dag-Erling, On Mon, May 09, 2011 at 02:34:14PM +0200, Dag-Erling Sm=F8rgrav wrote: > Chris Rees writes: > > This is the point I'm making, I can't recommend in the docs that one > > chmods $D/.. because we (the docs writers) don't know what the user > > (the reader) is going to set $D to. >=20 > Ah, OK. But you could provide an example where $D is /var/jail, or > something along those lines. >=20 Do you know if there is a way that chmod on / from within the jail could=20 be prevented easily without breaking something ? Maybe not failing but=20 falling though and return 0 for any operation with the sole argument of /. --=20 Regards, (jhell) Jason Hellenthal --0eh6TmSyL6TZE2Uz Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNx/8LAAoJEJBXh4mJ2FR+IicH+wYSZ/QFJRz0zlN3VcTUWwwC zerzHVtr2gwKFTtYiStSKJ2fH/N3vuDMNmU8AF9nvPLm1dwUo1DuWlo0B290FIQ7 5IGKDXSbXy7AGgWTFG2Mockp4X4fQ05nZRxXSMvIlk+HhD1BSA1s2KKWiV0FR/et rnsAMqTEcAt4cbZ4oh8MQsOdu6idhZJ0z3dXXKhfBW0H7Sf1CXiKztH3UrCvidpe oQHD8i03q5G7BmKVUMJsk7mjUJasm6aLFV/n1UckqAaE/XfHoGj7x4pW8wsQ1ORv cauwJ22uGOiB2CCF95w5ndAUj2dmbpuis+dxkVyYzxZD/tJ0mAt/cKs6oai77BY= =32va -----END PGP SIGNATURE----- --0eh6TmSyL6TZE2Uz-- From owner-freebsd-security@FreeBSD.ORG Mon May 9 19:28:59 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A63A0106566B for ; Mon, 9 May 2011 19:28:59 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [66.148.74.41]) by mx1.freebsd.org (Postfix) with ESMTP id 878008FC15 for ; Mon, 9 May 2011 19:28:58 +0000 (UTC) X-Catflap-Envelope-From: Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p49Bt701053329; Mon, 9 May 2011 12:55:07 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p49Bt604053259; Mon, 9 May 2011 12:55:06 +0100 (BST) From: Jamie Landeg Jones Message-Id: <201105091155.p49Bt604053259@catflap.bishopston.net> Date: Mon, 09 May 2011 12:55:06 +0100 Organization: http://www.bishopston.com/jamie/ To: jamie@bishopston.net, edhoprima@gmail.com References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> In-Reply-To: User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (catflap.bishopston.net [127.0.0.1]); Mon, 09 May 2011 12:55:07 +0100 (BST) X-Virus-Scanned: clamav-milter 0.97 at catflap.bishopston.net X-Virus-Status: Clean Cc: freebsd-security@freebsd.org, feld@feld.me, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails =?iso-8859-1?q?=28P=C3=AF=C2=BF=C2=BDtur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 19:28:59 -0000 > > A jail won't work for not-root users if the jail root directory is chmod 700 - although > > there is obviously a 'chroot' running withing the jail, the jailed user still needs > > to have read permission from the hosts / -- chmod 700 therefore locks all non-root > > users out. > > > > It's weird - I don't remember having such problem after setting jails' > root directory permission to 700. I don't have the system anymore so I > can't verify it just yet. I just tried it again (Freebsd 8.2) and I am wrong. Setting 700 on the jail root does indeed mess things up. But setting it on the parent (e.g. /usr/jails), and things are fine. Stupidly of me, that makes perfect sense. The non-privileged user needs read access to the jails "/" Sorry for the spam From owner-freebsd-security@FreeBSD.ORG Tue May 10 01:12:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60FC11065673 for ; Tue, 10 May 2011 01:12:55 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 12C908FC0A for ; Tue, 10 May 2011 01:12:54 +0000 (UTC) Received: by iyj12 with SMTP id 12so6852299iyj.13 for ; Mon, 09 May 2011 18:12:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=YgozxltYDZOqVNpTnpTAJ6mLsDhN+TUom5wJ3qlXWYM=; b=K1lLKjyn1WfQcqS5VNqhofkCTGT+ZDZnLITuvOhbjjOA5/fItJzsuEyU5Cv5UDEN/a xCzHwAPurdqnQKzdtVwURL0AQVwvJIu2UWZtw6b8zaDzefgSntHzV7ThjF5qDROJkqPP 5EDt53saWMXjT9rduLsL9c34fmNIXi/UQi3pE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=V77fqkc1yIVQiGFHN/YBjxc0w317YyUNx/0m/kFztprOlZZlshx4BJQuOIcyfOFJIK iZvU5Y5XvuL9MKXgR4Th1dErMt4WGn2XD8lI3snhPOpauKaHHZbIfqflP27FAYMX2yqc zvKN2KzK/DH/ovLe89gubATKT2+diPCRW70lw= Received: by 10.231.11.68 with SMTP id s4mr3721114ibs.152.1304989974096; Mon, 09 May 2011 18:12:54 -0700 (PDT) Received: from DataIX.net (adsl-99-190-84-116.dsl.klmzmi.sbcglobal.net [99.190.84.116]) by mx.google.com with ESMTPS id gx2sm2858543ibb.26.2011.05.09.18.12.52 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 09 May 2011 18:12:53 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p4A1CnJM008679 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 May 2011 21:12:50 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p4A1Cnrv008678; Mon, 9 May 2011 21:12:49 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Mon, 9 May 2011 21:12:49 -0400 From: Jason Hellenthal To: Jamie Landeg Jones Message-ID: <20110510011249.GE2558@DataIX.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <201105091155.p49Bt604053259@catflap.bishopston.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZRyEpB+iJ+qUx0kp" Content-Disposition: inline In-Reply-To: <201105091155.p49Bt604053259@catflap.bishopston.net> X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: freebsd-security@freebsd.org, feld@feld.me, edhoprima@gmail.com, utisoft@gmail.com Subject: Re: Rooting FreeBSD , =?iso-8859-1?q?Privilege_Escalation_using_J?= =?iso-8859-1?q?ails_=28P=C3=AF=C2=BF=C2=BDtur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 01:12:55 -0000 --ZRyEpB+iJ+qUx0kp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jamie, On Mon, May 09, 2011 at 12:55:06PM +0100, Jamie Landeg Jones wrote: > > > A jail won't work for not-root users if the jail root directory is ch= mod 700 - although > > > there is obviously a 'chroot' running withing the jail, the jailed us= er still needs > > > to have read permission from the hosts / -- chmod 700 therefore locks= all non-root > > > users out. > > > > > > > It's weird - I don't remember having such problem after setting jails' > > root directory permission to 700. I don't have the system anymore so I > > can't verify it just yet. >=20 > I just tried it again (Freebsd 8.2) and I am wrong. >=20 > Setting 700 on the jail root does indeed mess things up. But setting it on > the parent (e.g. /usr/jails), and things are fine. >=20 > Stupidly of me, that makes perfect sense. The non-privileged user needs > read access to the jails "/" >=20 > Sorry for the spam In no-way is it spam. Consider it a 'test'imonial to others that may ask=20 that question in the future ;) Tip: Quick way to lock your system down to only root: ( chmod g=3D / )=20 ***Emergency Use Only**** "molly guard not present" "slippery when throbbed" Side effect of that is its not really nice for processes=20 that run with lower privileges and isn't always apparent why things are=20 not working correctly so its best to just use nologin or drop to SU.=20 --=20 Regards, (jhell) Jason Hellenthal --ZRyEpB+iJ+qUx0kp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNyJEQAAoJEJBXh4mJ2FR+j3IH/1gMoLoduCOvEV0p/ryJTN90 KaBSAk0qMciEAY9Qk7fbYVfbTTtAVoAMfMGt6xngjk39LPqvC4ID6UOPmYhhGtul G5p47MrS3BQ8BEOSp8qJY9l+R9arKMFpCMIfKXWmcHjgiN+thKM8Veifu+zgmn6q eD4Hemk4ae6c4TJmsVhUAJWMoeRRhBH1Y8eetj+79qStRrfu5xg56MsXKgwuoUiM nlmSNxP9eo0hTwp0zm5fWYoDr3d0f2cJiPC2U/8AHTzd5rro+gqMt/ACwe2ABkN/ GywfRys75ty8xvctysRyla+r0Ww1v1IcwaWClrvKTvYBl1gdALBa+tLuceqwF9g= =1KnA -----END PGP SIGNATURE----- --ZRyEpB+iJ+qUx0kp-- From owner-freebsd-security@FreeBSD.ORG Tue May 10 10:28:31 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 483371065670 for ; Tue, 10 May 2011 10:28:31 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 032888FC15 for ; Tue, 10 May 2011 10:28:30 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 277C61FFC35; Tue, 10 May 2011 10:28:29 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 019CE844DF; Tue, 10 May 2011 12:28:29 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jason Hellenthal References: <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> <20110508173931.GA2757@DataIX.net> <86fwoof8lj.fsf@ds4.des.no> <86zkmwdpdl.fsf@ds4.des.no> <20110509144947.GB77054@DataIX.net> Date: Tue, 10 May 2011 12:28:28 +0200 In-Reply-To: <20110509144947.GB77054@DataIX.net> (Jason Hellenthal's message of "Mon, 9 May 2011 10:49:47 -0400") Message-ID: <86zkmu26k3.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jamie Landeg Jones , freebsd-security@freebsd.org, feld@feld.me, Edho P Arief , utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 10:28:31 -0000 Jason Hellenthal writes: > Do you know if there is a way that chmod on / from within the jail could= =20 > be prevented easily without breaking something ? Maybe not failing but=20 > falling though and return 0 for any operation with the sole argument of /. Not without adding explicit checks in the kernel. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue May 10 10:57:04 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 489721065670 for ; Tue, 10 May 2011 10:57:04 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 095CF8FC21 for ; Tue, 10 May 2011 10:57:03 +0000 (UTC) Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id 806875DC2; Tue, 10 May 2011 10:37:46 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.4/8.14.4) with ESMTP id p4AAbi82020052; Tue, 10 May 2011 10:37:44 GMT (envelope-from phk@critter.freebsd.dk) To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= From: "Poul-Henning Kamp" In-Reply-To: Your message of "Tue, 10 May 2011 12:28:28 +0200." <86zkmu26k3.fsf@ds4.des.no> Content-Type: text/plain; charset=ISO-8859-1 Date: Tue, 10 May 2011 10:37:44 +0000 Message-ID: <20051.1305023864@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: Jamie Landeg Jones , Jason Hellenthal , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 10:57:04 -0000 In message <86zkmu26k3.fsf@ds4.des.no>, =?utf-8?Q?Dag-Erling_Smørgrav?= wr ites: >Jason Hellenthal writes: >> Do you know if there is a way that chmod on / from within the jail could > >> be prevented easily without breaking something ? Maybe not failing but >> falling though and return 0 for any operation with the sole argument of /. > >Not without adding explicit checks in the kernel. I identified this issue back when I implemented jails and though long and hard about adding a kernel hack to paste over this. My conclusion was that there were not enough justification for it, based on the usage model envisioned then: virtual-machines-light. Gettys first rule says: 1. Do not add new functionality unless an implementor cannot complete a real application without it. and I think we should stick to that before adding more or less random pieces of magic to the kernel. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Tue May 10 12:20:10 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CAEC9106566B for ; Tue, 10 May 2011 12:20:10 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [66.148.74.41]) by mx1.freebsd.org (Postfix) with ESMTP id 7E19D8FC17 for ; Tue, 10 May 2011 12:20:10 +0000 (UTC) X-Catflap-Envelope-From: Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p4ACIjfR033824; Tue, 10 May 2011 13:18:45 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p4ACIio8033823; Tue, 10 May 2011 13:18:44 +0100 (BST) From: Jamie Landeg Jones Message-Id: <201105101218.p4ACIio8033823@catflap.bishopston.net> Date: Tue, 10 May 2011 13:18:44 +0100 Organization: http://www.bishopston.com/jamie/ To: jhell@DataIX.net, des@des.no References: <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> <20110508173931.GA2757@DataIX.net> <86fwoof8lj.fsf@ds4.des.no> <86zkmwdpdl.fsf@ds4.des.no> <20110509144947.GB77054@DataIX.net> In-Reply-To: <20110509144947.GB77054@DataIX.net> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97 at catflap.bishopston.net X-Virus-Status: Clean Cc: jamie@bishopston.net, freebsd-security@freebsd.org, feld@feld.me, edhoprima@gmail.com, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 12:20:10 -0000 > Do you know if there is a way that chmod on / from within the jail could > be prevented easily without breaking something ? Maybe not failing but > falling though and return 0 for any operation with the sole argument of /. Enforcing 700 on the jail root? Whilst I was wrong on chmod 700 on (say) /usr/jails it is still the case that the root directory of the jail itself (/usr/jail/jailname) has to be 755 for non-root processeses within the jail to access the filesystem! cheers, Jamie From owner-freebsd-security@FreeBSD.ORG Tue May 10 15:10:18 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEE62106566C for ; Tue, 10 May 2011 15:10:18 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [66.148.74.41]) by mx1.freebsd.org (Postfix) with ESMTP id 8598E8FC08 for ; Tue, 10 May 2011 15:10:18 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: freebsd-security@freebsd.org Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p4AF8uAY069951; Tue, 10 May 2011 16:08:56 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p4AF8u8T069950; Tue, 10 May 2011 16:08:56 +0100 (BST) From: Jamie Landeg Jones Message-Id: <201105101508.p4AF8u8T069950@catflap.bishopston.net> Date: Tue, 10 May 2011 16:08:56 +0100 Organization: http://www.bishopston.com/jamie/ To: jhell@DataIX.net, db@db.net References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <201105091155.p49Bt604053259@catflap.bishopston.net> <20110510011249.GE2558@DataIX.net> <20110510145952.GA18253@night.db.net> In-Reply-To: <20110510145952.GA18253@night.db.net> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97 at catflap.bishopston.net X-Virus-Status: Clean Cc: freebsd-security@freebsd.org Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 15:10:18 -0000 > It used to confuzzle sysadmins on SUNos when the mount point was > 0700. The underlying mode disapeared when the mount was made, but it > was still being enforced. Suddenly no one but root could use say /usr > even though it was apparently 0755 I remember that happening! I thought it was like that on FreeBSD too, but if it was, it isn't any longer! I always make mount-points 0111 these days From owner-freebsd-security@FreeBSD.ORG Tue May 10 15:17:49 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 490AF1065673 for ; Tue, 10 May 2011 15:17:49 +0000 (UTC) (envelope-from db@db.net) Received: from diana.db.net (diana.db.net [66.113.102.10]) by mx1.freebsd.org (Postfix) with ESMTP id 054638FC0A for ; Tue, 10 May 2011 15:17:48 +0000 (UTC) Received: from night.db.net (localhost [127.0.0.1]) by diana.db.net (Postfix) with ESMTP id 170482282A; Tue, 10 May 2011 08:54:32 -0600 (MDT) Received: by night.db.net (Postfix, from userid 1000) id 13C11709F; Tue, 10 May 2011 10:59:52 -0400 (EDT) Date: Tue, 10 May 2011 10:59:52 -0400 From: Diane Bruce To: Jason Hellenthal Message-ID: <20110510145952.GA18253@night.db.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <201105091155.p49Bt604053259@catflap.bishopston.net> <20110510011249.GE2558@DataIX.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110510011249.GE2558@DataIX.net> User-Agent: Mutt/1.4.2.3i Cc: Jamie Landeg Jones , freebsd-security@freebsd.org, feld@feld.me, edhoprima@gmail.com, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 15:17:49 -0000 On Mon, May 09, 2011 at 09:12:49PM -0400, Jason Hellenthal wrote: > > Jamie, ... > Tip: Quick way to lock your system down to only root: ( chmod g= / ) > ***Emergency Use Only**** "molly guard not present" "slippery when throbbed" > > Side effect of that is its not really nice for processes > that run with lower privileges and isn't always apparent why things are > not working correctly so its best to just use nologin or drop to SU. It used to confuzzle sysadmins on SUNos when the mount point was 0700. The underlying mode disapeared when the mount was made, but it was still being enforced. Suddenly no one but root could use say /usr even though it was apparently 0755 - Diane -- - db@FreeBSD.org db@db.net http://www.db.net/~db Why leave money to our children if we don't leave them the Earth? From owner-freebsd-security@FreeBSD.ORG Tue May 10 16:41:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E9FB1065670 for ; Tue, 10 May 2011 16:41:55 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id CD7288FC1D for ; Tue, 10 May 2011 16:41:54 +0000 (UTC) Received: by bwz12 with SMTP id 12so7394441bwz.13 for ; Tue, 10 May 2011 09:41:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:date:message-id:subject :from:to:cc:content-type; bh=9TG2ex65bMJNfhg1ttnQSt6uQDWVhKB5V7RSBG1vCvA=; b=pESUg1sbpJzmmjceB+AbeCCsF9WjGU4WgXPxPmwr22qX+qFfBdLiW9h/6ePVZuf/uA VMGksmLQ1wvAXnKZHLevPG+6CE5mRlP8DH3FXsDwANMyOoZYaIEzSPXt+NiDX2NMEHEH MX21vIDnDvdXthGgqBmQHIdcllEFNcYQUwTXA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:cc :content-type; b=MtBdkP++oIOtswtfCG/kCtdS8MW4dLa5AVrSWrpNsC+G1RzuDEuZoQgowWA0XJp+Sr 1oBPga4rIHfI/YPO+nU0iNqExFP3Vj0AEcHJbTFzL6hihodhUNb/zfEMZ1UlXr+ecBp0 TfsUN68c8gwk/rQcOFaZeGkfuV16YtW90OaHQ= MIME-Version: 1.0 Received: by 10.204.74.11 with SMTP id s11mr4329bkj.43.1305045713408; Tue, 10 May 2011 09:41:53 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Tue, 10 May 2011 09:41:53 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Tue, 10 May 2011 09:41:53 -0700 (PDT) Date: Tue, 10 May 2011 17:41:53 +0100 Message-ID: From: Chris Rees To: Jamie Landeg Jones Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org, db@db.net Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 16:41:55 -0000 On 10 May 2011 16:10, "Jamie Landeg Jones" wrote: > > > It used to confuzzle sysadmins on SUNos when the mount point was > > 0700. The underlying mode disapeared when the mount was made, but it > > was still being enforced. Suddenly no one but root could use say /usr > > even though it was apparently 0755 > > I remember that happening! I thought it was like that on FreeBSD too, > but if it was, it isn't any longer! > > I always make mount-points 0111 these days > Why not 0000? What sense does having -r+x make? Chris From owner-freebsd-security@FreeBSD.ORG Tue May 10 17:24:30 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8EF201065670 for ; Tue, 10 May 2011 17:24:30 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4F0948FC08 for ; Tue, 10 May 2011 17:24:30 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 37E9B1FFC35; Tue, 10 May 2011 17:24:29 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 0D1378456D; Tue, 10 May 2011 19:24:29 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Poul-Henning Kamp" References: <20051.1305023864@critter.freebsd.dk> Date: Tue, 10 May 2011 19:24:28 +0200 In-Reply-To: <20051.1305023864@critter.freebsd.dk> (Poul-Henning Kamp's message of "Tue, 10 May 2011 10:37:44 +0000") Message-ID: <86k4dy31v7.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jamie Landeg Jones , Jason Hellenthal , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 17:24:30 -0000 "Poul-Henning Kamp" writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > >Jason Hellenthal writes: > > > Do you know if there is a way that chmod on / from within the jail co= uld > > > be prevented easily without breaking something ? Maybe not failing bu= t=20 > > > falling though and return 0 for any operation with the sole argument = of /. > > Not without adding explicit checks in the kernel. > I identified this issue back when I implemented jails and though long > and hard about adding a kernel hack to paste over this. [...] I > think we should stick to [Getty's rule] before adding more or less > random pieces of magic to the kernel. I vote no as well, but for a different reason: there are many other things the jailed root can do to the root directory, including flags, extended attributes, etc. (some of which are fs-dependent), and it would be difficult or impossible to identify all of them, not to mention those that aren't yet possible but will be in the future. Fixing just one (or two, or five) of them today might give users a false sense of security, which is inexcusable when we can give a *true* sense of security by telling them to "chmod 0700 $D/..". DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue May 10 17:44:05 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8265D1065695 for ; Tue, 10 May 2011 17:44:05 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [66.148.74.41]) by mx1.freebsd.org (Postfix) with ESMTP id 171C08FC1C for ; Tue, 10 May 2011 17:44:04 +0000 (UTC) X-Catflap-Envelope-From: Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p4AHgh1e071165; Tue, 10 May 2011 18:42:44 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p4AHgh8H071164; Tue, 10 May 2011 18:42:43 +0100 (BST) From: Jamie Landeg Jones Message-Id: <201105101742.p4AHgh8H071164@catflap.bishopston.net> Date: Tue, 10 May 2011 18:42:43 +0100 Organization: http://www.bishopston.com/jamie/ To: utisoft@gmail.com, jamie@bishopston.net References: In-Reply-To: User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97 at catflap.bishopston.net X-Virus-Status: Clean Cc: db@db.net, freebsd-security@freebsd.org Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 17:44:05 -0000 > Why not 0000? What sense does having -r+x make? Because on some old systems I used to work with, you needed +x for it to work. Now I know 0000 works on FreeBSD, I'll try to remember to use that instead! From owner-freebsd-security@FreeBSD.ORG Tue May 10 18:07:22 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5979106564A for ; Tue, 10 May 2011 18:07:22 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from mail.bitblocks.com (ns1.bitblocks.com [173.228.5.8]) by mx1.freebsd.org (Postfix) with ESMTP id 88EE88FC15 for ; Tue, 10 May 2011 18:07:20 +0000 (UTC) Received: from bitblocks.com (localhost [127.0.0.1]) by mail.bitblocks.com (Postfix) with ESMTP id 64E48B827; Tue, 10 May 2011 10:49:10 -0700 (PDT) To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= In-reply-to: Your message of "Tue, 10 May 2011 19:24:28 +0200." <86k4dy31v7.fsf@ds4.des.no> References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> Comments: In-reply-to =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= message dated "Tue, 10 May 2011 19:24:28 +0200." Date: Tue, 10 May 2011 10:49:10 -0700 From: Bakul Shah Message-Id: <20110510174910.64E48B827@mail.bitblocks.com> Cc: Jamie Landeg Jones , Jason Hellenthal , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, Poul-Henning Kamp , utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 18:07:22 -0000 On Tue, 10 May 2011 19:24:28 +0200 =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote: > I vote no as well, but for a different reason: there are many other > things the jailed root can do to the root directory, including flags, > extended attributes, etc. (some of which are fs-dependent), and it would > be difficult or impossible to identify all of them, not to mention those > that aren't yet possible but will be in the future. Fixing just one (or > two, or five) of them today might give users a false sense of security, > which is inexcusable when we can give a *true* sense of security by > telling them to "chmod 0700 $D/..". Dumb question: the jail command can refuse to run unless the parent of a jail root is 0700. Would that work? No kernel hack required. From owner-freebsd-security@FreeBSD.ORG Tue May 10 19:09:58 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AE26106566C for ; Tue, 10 May 2011 19:09:58 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104]) by mx1.freebsd.org (Postfix) with ESMTP id 9C24F8FC25 for ; Tue, 10 May 2011 19:09:57 +0000 (UTC) Received: from turtle.stack.nl (turtle.stack.nl [IPv6:2001:610:1108:5010::132]) by mx1.stack.nl (Postfix) with ESMTP id F0A143593D0; Tue, 10 May 2011 21:09:56 +0200 (CEST) Received: by turtle.stack.nl (Postfix, from userid 1677) id DB295172F8; Tue, 10 May 2011 21:09:56 +0200 (CEST) Date: Tue, 10 May 2011 21:09:56 +0200 From: Jilles Tjoelker To: Jamie Landeg Jones Message-ID: <20110510190956.GA43634@stack.nl> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <201105091155.p49Bt604053259@catflap.bishopston.net> <20110510011249.GE2558@DataIX.net> <20110510145952.GA18253@night.db.net> <201105101508.p4AF8u8T069950@catflap.bishopston.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201105101508.p4AF8u8T069950@catflap.bishopston.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: jhell@DataIX.net, db@db.net, freebsd-security@freebsd.org Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 19:09:58 -0000 On Tue, May 10, 2011 at 04:08:56PM +0100, Jamie Landeg Jones wrote: > > It used to confuzzle sysadmins on SUNos when the mount point was > > 0700. The underlying mode disapeared when the mount was made, but it > > was still being enforced. Suddenly no one but root could use say /usr > > even though it was apparently 0755 > I remember that happening! I thought it was like that on FreeBSD too, > but if it was, it isn't any longer! It is still required for .. to work. For example, if the /usr directory on / is 700 but the directory on the mounted filesystem is 755, everyone can use pathnames under /usr but only root can use /usr/.. which is confusing and undesirable. > I always make mount-points 0111 these days I'd recommend to keep doing that :) -- Jilles Tjoelker From owner-freebsd-security@FreeBSD.ORG Tue May 10 19:23:22 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1561F106564A for ; Tue, 10 May 2011 19:23:22 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [66.148.74.41]) by mx1.freebsd.org (Postfix) with ESMTP id C0D7A8FC0A for ; Tue, 10 May 2011 19:23:21 +0000 (UTC) X-Catflap-Envelope-From: Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p4AJLwP9086922; Tue, 10 May 2011 20:21:59 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p4AJLvQL086908; Tue, 10 May 2011 20:21:57 +0100 (BST) From: Jamie Landeg Jones Message-Id: <201105101921.p4AJLvQL086908@catflap.bishopston.net> Date: Tue, 10 May 2011 20:21:57 +0100 Organization: http://www.bishopston.com/jamie/ To: des@des.no, bakul@bitblocks.com References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97 at catflap.bishopston.net X-Virus-Status: Clean Cc: jamie@bishopston.net, jhell@DataIX.net, feld@feld.me, edhoprima@gmail.com, freebsd-security@freebsd.org, phk@phk.freebsd.dk, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 19:23:22 -0000 > Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required. Haha, all talking about kernel hacks and so on, and yet, to me, that seems the simplest, but ALSO, the most elegent solution. I'd have some override flag that could be set for those who's jails are directly under an important folder, e.g. /usr/my-jail-name/ so that those unable to change straight away can set an rc/sysctl flag rather than have to hack the code.. Is this turning into a bikeshed discussion? From owner-freebsd-security@FreeBSD.ORG Tue May 10 19:26:34 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84159106564A for ; Tue, 10 May 2011 19:26:34 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [66.148.74.41]) by mx1.freebsd.org (Postfix) with ESMTP id 380ED8FC15 for ; Tue, 10 May 2011 19:26:33 +0000 (UTC) X-Catflap-Envelope-From: Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p4AJOvcw004740; Tue, 10 May 2011 20:24:58 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p4AJOvJV004739; Tue, 10 May 2011 20:24:57 +0100 (BST) From: Jamie Landeg Jones Message-Id: <201105101924.p4AJOvJV004739@catflap.bishopston.net> Date: Tue, 10 May 2011 20:24:57 +0100 Organization: http://www.bishopston.com/jamie/ To: jilles@stack.nl, jamie@bishopston.net References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <201105091155.p49Bt604053259@catflap.bishopston.net> <20110510011249.GE2558@DataIX.net> <20110510145952.GA18253@night.db.net> <201105101508.p4AF8u8T069950@catflap.bishopston.net> <20110510190956.GA43634@stack.nl> In-Reply-To: <20110510190956.GA43634@stack.nl> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97 at catflap.bishopston.net X-Virus-Status: Clean Cc: jhell@DataIX.net, db@db.net, freebsd-security@freebsd.org Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 19:26:34 -0000 > It is still required for .. to work. > > For example, if the /usr directory on / is 700 but the directory on the > mounted filesystem is 755, everyone can use pathnames under /usr but only > root can use /usr/.. which is confusing and undesirable. > > > I always make mount-points 0111 these days > > I'd recommend to keep doing that :) Wow! Good catch! I missed that! And I note that ".." doesn't even appear on an ls -a That tells you too, Chris Rees :-) Ok, I'll stick with 0111 - also, the reason I use 0111 instead of just the default 755 (or whatever) is that it's an alert to me if some mount isn't mounted for whatever reason. To me, 0111 means mount-point only, period. Cheers, Jamie From owner-freebsd-security@FreeBSD.ORG Tue May 10 21:01:27 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23D0A1065670 for ; Tue, 10 May 2011 21:01:27 +0000 (UTC) (envelope-from william@palfreman.com) Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 026938FC13 for ; Tue, 10 May 2011 21:01:26 +0000 (UTC) Received: by pwj8 with SMTP id 8so3947914pwj.13 for ; Tue, 10 May 2011 14:01:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.63.2 with SMTP id c2mr1584025pbs.54.1305059508918; Tue, 10 May 2011 13:31:48 -0700 (PDT) Received: by 10.68.51.194 with HTTP; Tue, 10 May 2011 13:31:48 -0700 (PDT) In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com> References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> Date: Tue, 10 May 2011 22:31:48 +0200 Message-ID: From: William Palfreman To: Bakul Shah Content-Type: text/plain; charset=ISO-8859-1 Cc: Jamie Landeg Jones , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, Poul-Henning Kamp , =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= , utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 21:01:27 -0000 On 10 May 2011 19:49, Bakul Shah wrote: > Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required. If you do that then you can't us the jail with a non-root jailed user, and I never want to give what is running in a jail anything more than very unprivileged access. All I do is this: /var - as normal /var/jails - 0700 /var/jails/jail1 - 0755 /var/jails/jail2 - 0755 etc. If an unprivialged user outside the jail was also root inside the jail, he wouldn't be able to get into the /var/jails directory to do any suid rooting. From owner-freebsd-security@FreeBSD.ORG Tue May 10 23:18:52 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6B68106564A for ; Tue, 10 May 2011 23:18:52 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 665948FC08 for ; Tue, 10 May 2011 23:18:51 +0000 (UTC) Received: by iwn33 with SMTP id 33so7985221iwn.13 for ; Tue, 10 May 2011 16:18:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=WLZvhKpcuSc4ViseEfBwGPMr/SycKTuBiCznZcu5gCw=; b=B6XB33gRjOogMQhaluIJR8ySz59upLJFb4FQiammufjisYGIV47c5Li7ziRoKHiDfM MoVUDYr29pt/L7lF0X8Puz2k5jjsf0262N4P8MxyU4ETLfEXfkD3dbVt4D/H1Cdc+pYA 2G9pPNPucQK3kgfqPhMZZxZUw8cSWFwL9BoX4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=k3D/i4qYRI01ChRlcIEjcgpRJWlWAJXNa3/mqKOMc/xiiI3OEYGhJV6HgNpmeY9Y79 loWU4dOEawaSs/OQz5kuxQMzcHj74vlG3ZxS25kuTdNomi8b+x5gKScnFSnIqmB6U7zc opF+0uR52oeWa3cgnwa+pxls3o7+pxVh5OLrU= Received: by 10.42.66.147 with SMTP id p19mr2357024ici.7.1305069531704; Tue, 10 May 2011 16:18:51 -0700 (PDT) Received: from DataIX.net (adsl-99-190-84-116.dsl.klmzmi.sbcglobal.net [99.190.84.116]) by mx.google.com with ESMTPS id u17sm3272377ibm.28.2011.05.10.16.18.48 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 10 May 2011 16:18:49 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p4ANIkgl055788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 May 2011 19:18:46 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p4ANIieS055787; Tue, 10 May 2011 19:18:44 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Tue, 10 May 2011 19:18:44 -0400 From: Jason Hellenthal To: Jamie Landeg Jones Message-ID: <20110510231843.GA67882@DataIX.net> References: <201105072231.p47MVktY035491@catflap.bishopston.net> <20110508075203.GA61754@DataIX.net> <20110508173931.GA2757@DataIX.net> <86fwoof8lj.fsf@ds4.des.no> <86zkmwdpdl.fsf@ds4.des.no> <20110509144947.GB77054@DataIX.net> <201105101218.p4ACIio8033823@catflap.bishopston.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO" Content-Disposition: inline In-Reply-To: <201105101218.p4ACIio8033823@catflap.bishopston.net> X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: des@des.no, feld@feld.me, edhoprima@gmail.com, utisoft@gmail.com, freebsd-security@freebsd.org Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 23:18:52 -0000 --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jamie, On Tue, May 10, 2011 at 01:18:44PM +0100, Jamie Landeg Jones wrote: >=20 > > Do you know if there is a way that chmod on / from within the jail coul= d=20 > > be prevented easily without breaking something ? Maybe not failing but= =20 > > falling though and return 0 for any operation with the sole argument of= /. >=20 > Enforcing 700 on the jail root? >=20 > Whilst I was wrong on chmod 700 on (say) /usr/jails it is still the case > that the root directory of the jail itself (/usr/jail/jailname) has to > be 755 for non-root processeses within the jail to access the filesystem! >=20 Sorry for the late reply on this. What I was thinking of is enforcing from within the jail that all system=20 calls to chmod(2), chflags(2), chown(2) and anything that can change the=20 directories access modes should be passed silently when the argument to=20 the command is operating on the root directory. --=20 Regards, (jhell) Jason Hellenthal --M9NhX3UHpAaciwkO Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNycfTAAoJEJBXh4mJ2FR+0s4IAIXFxI7k819MBfSOAgvIxlgu HVXGlwGjB+EVDuPKiVGExlN0ezje+RUZWAkFfM/BGoTxAptY5Icz5bG4INHddyP5 ikoiqMSe68vEUKklmHQXs8tYI3Poj4u5ZpcuUcc3H4wL+QB+FQPtIAXXp4oEKHY0 3+0bMpQbFQ3QdeNVeA1sKdPId8uJYI4dT/tBVsrC1xJKlm3/nGmWZ+SCT6q7SEYI A+WImLiHa4l32E0mfEC7bbgmmg90Xg6Kg01stk3ZLBAHQzlcR8MMhnsGtQzJwztC NouVclKqxLIcSFFWvyDcymcYeVIdXgrUspEwXzzTj3sOVdxDvEd+lkQ50dN3y64= =upS1 -----END PGP SIGNATURE----- --M9NhX3UHpAaciwkO-- From owner-freebsd-security@FreeBSD.ORG Wed May 11 05:28:27 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98BAF106566C for ; Wed, 11 May 2011 05:28:27 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by mx1.freebsd.org (Postfix) with ESMTP id 580268FC13 for ; Wed, 11 May 2011 05:28:27 +0000 (UTC) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id p4B5SGfT055273 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 May 2011 05:28:16 GMT (envelope-from snabb@epipe.com) X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com p4B5SGfT055273 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default; t=1305091697; x=1305696497; bh=Dpc7jeLYgDIJgo++THYQH0ZJWLhj2HZuvw8FTtrQiEI=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=lOeyMDvV6IeOTRFCqpekFW64TdviiqvPqmyJbnwb6/J+i9TMcp7MVLnjfGFplm+AR gi169AMQLvFPT+K+/mKXqtiCvvI2w6MwKONYlXA6onzBrrdKh0FVMtfMbAJxbC3L9I zKBagxf0zY49t7DOWq86EMfbP9k1LLaZLASzS200= Date: Wed, 11 May 2011 05:28:16 +0000 (UTC) From: Janne Snabb To: Bakul Shah In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com> Message-ID: References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (tiktik.epipe.com [IPv6:2001:1828:0:3::2]); Wed, 11 May 2011 05:28:17 +0000 (UTC) Cc: Jamie Landeg Jones , Jason Hellenthal , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, Poul-Henning Kamp , =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= , utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 05:28:27 -0000 On Tue, 10 May 2011, Bakul Shah wrote: > Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required. I do not think that this should be enforced in kernel, in the jail(8) command nor anywhere else. UNIX rm(1) is not opening a pop-up window asking "are you sure?" if you do "rm -rf /". The OS should not impose arbitrary restrictions based on some random assumptions on how a particular OS facility is going to be used. I can easily think of several scenarios where such a restriction would cause more trouble than benefit. One example: I might have zero unprivileged users in the jail host (thus the restriction would be unnecessary). I need to run a cron job in the jail host which updates some data within the jails. I rather not do this as root but instead use a separate non-root user for the purpose (as it is generally a good practice to run everything as non-root unless it is really necessary to be root). The proposed restriction would defeat this possibility and force me to run all jail-related tasks as root in the jail host, which might open it up to some other potential security issues. This should go in to the documentation as a recommendation for some common jail use cases, but seriously, really not in the code, please. In UNIX we do not want to prevent people from shooting themselves in the foot. We should assume that the system administrator knows what they want and should not restrict their freedom to do so. Just my thoughts, -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/ From owner-freebsd-security@FreeBSD.ORG Wed May 11 09:34:26 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4782E1065673 for ; Wed, 11 May 2011 09:34:26 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 059AA8FC0A for ; Wed, 11 May 2011 09:34:25 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id D3A951FFC35; Wed, 11 May 2011 09:34:24 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 81046844D9; Wed, 11 May 2011 11:34:24 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Bakul Shah References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> Date: Wed, 11 May 2011 11:34:23 +0200 In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com> (Bakul Shah's message of "Tue, 10 May 2011 10:49:10 -0700") Message-ID: <86d3jpoa1s.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jamie Landeg Jones , Jason Hellenthal , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, Poul-Henning Kamp , utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 09:34:26 -0000 Bakul Shah writes: > Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required. All right, this is getting ridiculous. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed May 11 10:06:43 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7A43106566C for ; Wed, 11 May 2011 10:06:43 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4A7498FC14 for ; Wed, 11 May 2011 10:06:42 +0000 (UTC) Received: by bwz12 with SMTP id 12so414269bwz.13 for ; Wed, 11 May 2011 03:06:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=pYa7Vhkg3FlMfEkxqQyQE75jAwWoectmL07Xu+z7P8w=; b=xp1EEcNrpQrsad7Bw68E1FS+3D8b81SFw3GHCWtxwUYc952+kd9DshI5O7DTvUyFDH Yp0u5Qgt6y8ApKoZcVM7lXd5gAfgrDU7YyDM+3ekTUG7jY1mtskh0b5fAZqvaWhzxfBa 18kroMMj1EzNVspqIRqdEWcmJUq7YwFWB7x8M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=bYjZ/cUHt53cXsdnPtfCgZFxwgJdifDMbvzoulY9WuOFlG1wkXmJwjAtqr1paIkynm WI8LL7SePTcW+f/iq5+2U6vBY/TRfMQIfaALN3kv1N+dqPq842rIV3pqGo4pjY/b6a87 RTFMjuaDXUNW84a57kJ1Mm2QA+HtmLiJdna1Q= MIME-Version: 1.0 Received: by 10.204.41.16 with SMTP id m16mr1923191bke.151.1305108402040; Wed, 11 May 2011 03:06:42 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Wed, 11 May 2011 03:06:41 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Wed, 11 May 2011 03:06:41 -0700 (PDT) In-Reply-To: References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> Date: Wed, 11 May 2011 11:06:41 +0100 Message-ID: From: Chris Rees To: Janne Snabb Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Jamie Landeg Jones , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, Poul-Henning Kamp , Bakul Shah , =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 10:06:43 -0000 On 11 May 2011 06:28, "Janne Snabb" wrote: > > On Tue, 10 May 2011, Bakul Shah wrote: > > > Dumb question: the jail command can refuse to run unless the > > parent of a jail root is 0700. Would that work? No kernel hack > > required. > > I do not think that this should be enforced in kernel, in the jail(8) > command nor anywhere else. UNIX rm(1) is not opening a pop-up window > asking "are you sure?" if you do "rm -rf /". I suggest you test this assertion.... Chris From owner-freebsd-security@FreeBSD.ORG Wed May 11 10:20:50 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53F95106566B for ; Wed, 11 May 2011 10:20:50 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by mx1.freebsd.org (Postfix) with ESMTP id 137B58FC15 for ; Wed, 11 May 2011 10:20:50 +0000 (UTC) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id p4BAKgm3010192 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 May 2011 10:20:42 GMT (envelope-from snabb@epipe.com) X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com p4BAKgm3010192 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default; t=1305109242; x=1305714042; bh=zmica1pqPD2s/KyHLRkWirRyk+6v7QkUDFeYu2ILfO4=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=lCnlTv3FYeSLaajPCz0x4na10PXrHsiLT9z/0Ds9cq0VRnv5s1oCStnU4d2LTTaY0 fl5kK2PxKJjFAGDqTo05aFEHAZ6sAP+WFyhO4/iHaxDW4s+VdgLc9bZqA2xzPONhz9 m/B5MwZeuQG+ejQnAXrS10MbB6olntnD/gXDinKQ= Date: Wed, 11 May 2011 10:20:42 +0000 (UTC) From: Janne Snabb To: Chris Rees In-Reply-To: Message-ID: References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (tiktik.epipe.com [IPv6:2001:1828:0:3::2]); Wed, 11 May 2011 10:20:42 +0000 (UTC) Cc: Jamie Landeg Jones , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, Poul-Henning Kamp , Bakul Shah , =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 10:20:50 -0000 On Wed, 11 May 2011, Chris Rees wrote: > On 11 May 2011 06:28, "Janne Snabb" wrote: > > UNIX rm(1) is not opening a pop-up window > > asking "are you sure?" if you do "rm -rf /". > > I suggest you test this assertion.... I am surprised. I guess I have not done that for a while: rm: "/" may not be removed Off-topic. Bad example. Replace with something more appropriate (such as the need to update jail directory tree contents without being root in the host system). Sorry. -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/ From owner-freebsd-security@FreeBSD.ORG Wed May 11 06:21:52 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB6AB106564A for ; Wed, 11 May 2011 06:21:51 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from mail.bitblocks.com (ns1.bitblocks.com [173.228.5.8]) by mx1.freebsd.org (Postfix) with ESMTP id 9939C8FC17 for ; Wed, 11 May 2011 06:21:51 +0000 (UTC) Received: from bitblocks.com (localhost [127.0.0.1]) by mail.bitblocks.com (Postfix) with ESMTP id 2731EB827; Tue, 10 May 2011 23:21:51 -0700 (PDT) To: Janne Snabb In-reply-to: Your message of "Wed, 11 May 2011 05:28:16 -0000." References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> Comments: In-reply-to Janne Snabb message dated "Wed, 11 May 2011 05:28:16 -0000." Date: Tue, 10 May 2011 23:21:51 -0700 From: Bakul Shah Message-Id: <20110511062151.2731EB827@mail.bitblocks.com> X-Mailman-Approved-At: Wed, 11 May 2011 11:04:43 +0000 Cc: Jamie Landeg Jones , Jason Hellenthal , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, Poul-Henning Kamp , Bakul Shah , =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= , utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 06:21:52 -0000 On Wed, 11 May 2011 05:28:16 -0000 Janne Snabb wrote: > On Tue, 10 May 2011, Bakul Shah wrote: > > > Dumb question: the jail command can refuse to run unless the > > parent of a jail root is 0700. Would that work? No kernel hack > > required. > > I do not think that this should be enforced in kernel, in the jail(8) > command nor anywhere else. UNIX rm(1) is not opening a pop-up window > asking "are you sure?" if you do "rm -rf /". The OS should not > impose arbitrary restrictions based on some random assumptions on > how a particular OS facility is going to be used. ... > This should go in to the documentation as a recommendation for some > common jail use cases, but seriously, really not in the code, please. > > In UNIX we do not want to prevent people from shooting themselves > in the foot. We should assume that the system administrator knows > what they want and should not restrict their freedom to do so. I agree that people should not be prevented from shooting themselves in the foot but I do suggest that "accidental" footshooting can be prevented by leaving the gun safey on. Force them to take some explicit action for footshooting! So let me modify my dumb suggestion: allow running a jail if either the jail's parent dir has mode 0700 or the user specified -f flag (analogous to rm -f). [You may still not like it, but so it goes!] From owner-freebsd-security@FreeBSD.ORG Wed May 11 15:51:37 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 334E91065674 for ; Wed, 11 May 2011 15:51:37 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id DA03D8FC0C for ; Wed, 11 May 2011 15:51:36 +0000 (UTC) Received: by iyj12 with SMTP id 12so635931iyj.13 for ; Wed, 11 May 2011 08:51:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=KmMrYu58Pt9MPylzBEDrPdbgseNYRs2aD7A5SJC04BE=; b=OJJQjsm9w4QJ+Vy9T9ZGYTq4RQbbNYlfWjoPzkQHN5GfasObW9jNfLNW8za/hS6KK8 oHbNRo0LHBFrCM4P6MQwgrXzcrPR49VwDRsEg6iS+P+2kjwjH9p21KBsS508+VAgSFEE fzKjHP1jmXbfEktcUjBubFPESU1cJ+QwQSJ+o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=U3rtcNLJwRgCUF4SDL+nSUaJKKEU1+jQRSAU53Ls9E8+/tCvf1NH9M4wfmkz9ruDI2 GSEbyooQGrFfL44Pbu1U0jeQI1+Gh4NVIQ4dCfRGOQcIT16HLHW38CF3/ovztqA93lhW BaU6uu4tMP3Sbmr3cceoUtrozQipnKP+4hSnY= Received: by 10.43.133.199 with SMTP id hz7mr9022478icc.357.1305129096248; Wed, 11 May 2011 08:51:36 -0700 (PDT) Received: from DataIX.net ([99.190.84.116]) by mx.google.com with ESMTPS id ww2sm84896icb.3.2011.05.11.08.51.33 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 11 May 2011 08:51:34 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p4BFpUpR028893 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 May 2011 11:51:31 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p4BFpSDY028892; Wed, 11 May 2011 11:51:28 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Wed, 11 May 2011 11:51:27 -0400 From: Jason Hellenthal To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Message-ID: <20110511155127.GA28725@DataIX.net> References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> <86d3jpoa1s.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline In-Reply-To: <86d3jpoa1s.fsf@ds4.des.no> X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: Jamie Landeg Jones , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, Poul-Henning Kamp , Bakul Shah , utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 15:51:37 -0000 --gKMricLos+KVdGMg Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dag-Erling, On Wed, May 11, 2011 at 11:34:23AM +0200, Dag-Erling Sm=F8rgrav wrote: > Bakul Shah writes: > > Dumb question: the jail command can refuse to run unless the > > parent of a jail root is 0700. Would that work? No kernel hack > > required. >=20 > All right, this is getting ridiculous. >=20 +1 --=20 Regards, (jhell) Jason Hellenthal --gKMricLos+KVdGMg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNyrB/AAoJEJBXh4mJ2FR+AY4H/ivdXhZVrRoVPf672rm2/JeV lZioD49RKfYTuTgKwRQNQM/WnvQH49M9CCL7n15bg2yquL/bTvLGfXf3mEJM5D2q zfJAXTa4o8HMotaFir+vs6ck7sz5XCk+4/KYEPyGivCV8COLxSGBplzphR6b8nSx 9yQoACjJrJ97FOugFJxVNkxDiCjV/nEXbqEnumo3cqMqSpHfXz4THFH3Dyj44wP+ q/IOY2efK5Qj9lBs+m/L9Auws3wnXEH72gLxJivLXIWOeswNoxfqwmBPDVSYIoNc jgkm/TMQuDcoVshXakNqYTXGoLOztBxsyLlDaTJ/574SRAWakda+QvztcT7LH6w= =NA5k -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- From owner-freebsd-security@FreeBSD.ORG Wed May 11 16:03:58 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F17A1065675 for ; Wed, 11 May 2011 16:03:58 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id E1D048FC0A for ; Wed, 11 May 2011 16:03:57 +0000 (UTC) X-Catflap-Envelope-From: Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.4/8.14.4) with ESMTP id p4BG3oc1099383; Wed, 11 May 2011 17:03:50 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p4BG3oKc099382; Wed, 11 May 2011 17:03:50 +0100 (BST) From: Jamie Landeg Jones Message-Id: <201105111603.p4BG3oKc099382@catflap.bishopston.net> Date: Wed, 11 May 2011 17:03:50 +0100 Organization: http://www.bishopston.com/jamie/ To: jhell@DataIX.net, des@des.no References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> <86d3jpoa1s.fsf@ds4.des.no> <20110511155127.GA28725@DataIX.net> In-Reply-To: <20110511155127.GA28725@DataIX.net> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (catflap.bishopston.net [127.0.0.1]); Wed, 11 May 2011 17:03:51 +0100 (BST) X-Virus-Scanned: clamav-milter 0.97 at catflap.bishopston.net X-Virus-Status: Clean Cc: jamie@bishopston.net, feld@feld.me, edhoprima@gmail.com, freebsd-security@freebsd.org, phk@phk.freebsd.dk, bakul@bitblocks.com, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 16:03:58 -0000 > +1 I did mention the bikeshed earlier ! :D From owner-freebsd-security@FreeBSD.ORG Wed May 11 18:36:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3ED3D106566B for ; Wed, 11 May 2011 18:36:29 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 314708FC18 for ; Wed, 11 May 2011 18:36:28 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 461676788F for ; Wed, 11 May 2011 11:21:11 -0700 (PDT) Date: Wed, 11 May 2011 11:21:11 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20110511120032.7D5FB10657F4@hub.freebsd.org> References: <20110511120032.7D5FB10657F4@hub.freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20110511183629.3ED3D106566B@hub.freebsd.org> Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 18:36:29 -0000 Dag-Erling Sm?rgrav wrote: > Bakul Shah writes: >> Dumb question: the jail command can refuse to run unless the >> parent of a jail root is 0700. Would that work? No kernel hack >> required. > > All right, this is getting ridiculous. It's far past the point of being ridiculous, so far in fact that I would not be surprised if someone employed by Redhat, Canonical or the FSF was behind paid to astroturf. The tactic may have worked for Gnome, KDE, and a large number of apps but FreeBSD coders are generally more experienced than that. Roger Marquis