From owner-freebsd-jail@FreeBSD.ORG Mon Apr 12 06:02:27 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6B4F1065670; Mon, 12 Apr 2010 06:02:27 +0000 (UTC) (envelope-from erich@fuujingroup.com) Received: from fluorine.fuujinnetworks.com (fluorine.fuujinnetworks.com [64.90.67.234]) by mx1.freebsd.org (Postfix) with ESMTP id 697BD8FC18; Mon, 12 Apr 2010 06:02:27 +0000 (UTC) Received: from [10.168.1.8] (copper.fuujinnetworks.com [64.90.67.254]) by fluorine.fuujinnetworks.com (Postfix) with ESMTPA id 3BB22439E38; Mon, 12 Apr 2010 01:02:53 -0500 (CDT) Message-ID: <4BC2C578.9080108@fuujingroup.com> Date: Mon, 12 Apr 2010 01:02:16 -0600 From: "Erich Jenkins, Fuujin Group Ltd" User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-bugs@freebsd.org Subject: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 06:02:27 -0000 So, I received a response on the Bugs mailing list, suggesting that this might have been a directory permission issue I overlooked (because I failed to explain the situation as completely as I should have, but thank you for the response). This is not a directory permission issue, this is a jail file permission issue. The directory inside the users home directory is owned by root, and the user does not have write permission to it. Come on guys. Am I to assume the lack of interest in this issue is an indication that jails are not actively maintained? Should I move three racks of equipment to VMware ESXi and FreeBSD rather than use jails? -- Erich M. Jenkins Fuujin Group Limited "You should never, never doubt what no one is sure about." -- Gene Wilder From owner-freebsd-jail@FreeBSD.ORG Mon Apr 12 08:22:53 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B176106566C; Mon, 12 Apr 2010 08:22:53 +0000 (UTC) (envelope-from erich@fuujingroup.com) Received: from fluorine.fuujinnetworks.com (fluorine.fuujinnetworks.com [64.90.67.234]) by mx1.freebsd.org (Postfix) with ESMTP id 131FA8FC18; Mon, 12 Apr 2010 08:22:52 +0000 (UTC) Received: from [10.168.1.8] (copper.fuujinnetworks.com [64.90.67.254]) by fluorine.fuujinnetworks.com (Postfix) with ESMTPA id EA56C439E38; Mon, 12 Apr 2010 03:23:18 -0500 (CDT) Message-ID: <4BC2E662.1050007@fuujingroup.com> Date: Mon, 12 Apr 2010 03:22:42 -0600 From: "Erich Jenkins, Fuujin Group Ltd" User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: =?UTF-8?B?S2FsbGUgTcO4bGxlcg==?= References: <4BC2C578.9080108@fuujingroup.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 08:22:53 -0000 Kalle Møller wrote: > Could you please make a command list on what your doing and with > output.. like this ... > > -- > > Med Venlig Hilsen > > Kalle R. Møller Here's what I'm seeing: jail0495> pwd /usr/home/testuser jail0495> ll -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history drwxr--r-- 2 root wheel 1024 Apr 12 02:22 testdir jail0495> users testuser jail0495> cd testdir jail0495> ll -rw-r--r-- 2 root wheel 4096 Apr 12 02:24 textfile.txt jail0495> rm textfile.txt override rw-r--r-- root/wheel for textfile.txt ? y jail0495> ll total 0 jail0495> As you can see, this is of great concern. Erich M. Jenkins Fuujin Group Limited "You should never, never doubt what no one is sure about." -- Gene Wilder From owner-freebsd-jail@FreeBSD.ORG Mon Apr 12 11:07:03 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2FB8106564A for ; Mon, 12 Apr 2010 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B0C048FC16 for ; Mon, 12 Apr 2010 11:07:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o3CB73gq042478 for ; Mon, 12 Apr 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o3CB73EF042476 for freebsd-jail@FreeBSD.org; Mon, 12 Apr 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Apr 2010 11:07:03 GMT Message-Id: <201004121107.o3CB73EF042476@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 12 12:56:15 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CA6F106566B for ; Mon, 12 Apr 2010 12:56:15 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 0393C8FC1C for ; Mon, 12 Apr 2010 12:56:14 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o3CCuAlB004123; Mon, 12 Apr 2010 22:56:11 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 12 Apr 2010 22:56:10 +1000 (EST) From: Ian Smith To: "Erich Jenkins, Fuujin Group Ltd" In-Reply-To: <4BC2E662.1050007@fuujingroup.com> Message-ID: <20100412223953.K52200@sola.nimnet.asn.au> References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-420784234-1271076970=:52200" Cc: freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 12:56:15 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-420784234-1271076970=:52200 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Mon, 12 Apr 2010, Erich Jenkins, Fuujin Group Ltd wrote: > Kalle Møller wrote: > > > Could you please make a command list on what your doing and with output.. > > like this ... > > > > -- > > > > Med Venlig Hilsen > > > > Kalle R. Møller > > > Here's what I'm seeing: > > jail0495> pwd > /usr/home/testuser > jail0495> ll > -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history > drwxr--r-- 2 root wheel 1024 Apr 12 02:22 testdir > jail0495> users > testuser users just shows the login user, even if you've su'd to root. Can you show `id -p` at this point? > jail0495> cd testdir testuser shouldn't be able to cd to that dir, nor browse it, let alone delete a file in it. sure smells like your effective uid here is root. > jail0495> ll > -rw-r--r-- 2 root wheel 4096 Apr 12 02:24 textfile.txt > jail0495> rm textfile.txt > override rw-r--r-- root/wheel for textfile.txt ? y > jail0495> ll > total 0 > jail0495> > > As you can see, this is of great concern. Indeed. cheers, Ian --0-420784234-1271076970=:52200-- From owner-freebsd-jail@FreeBSD.ORG Mon Apr 12 13:25:54 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B5B91065670; Mon, 12 Apr 2010 13:25:54 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id D95418FC0A; Mon, 12 Apr 2010 13:25:53 +0000 (UTC) Received: from 68-189-245-235.dhcp.oxfr.ma.charter.com ([68.189.245.235] helo=cube.entropy.prv) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1O1JN5-000EGg-GZ; Mon, 12 Apr 2010 09:08:16 -0400 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by cube.entropy.prv (Postfix) with ESMTP id B7DE23E48FAF; Mon, 12 Apr 2010 09:08:11 -0400 (EDT) Message-ID: <4BC31B31.6060201@FreeBSD.org> Date: Mon, 12 Apr 2010 09:08:01 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "Erich Jenkins, Fuujin Group Ltd" References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> In-Reply-To: <4BC2E662.1050007@fuujingroup.com> X-Enigmail-Version: 0.96.0 OpenPGP: id=1C940290 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.4 (/) Cc: freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 13:25:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erich Jenkins, Fuujin Group Ltd wrote: > Kalle M=C3=B8ller wrote: > >> Could you please make a command list on what your doing and with >> output.. like this ... >> >> --=20 >> >> Med Venlig Hilsen >> >> Kalle R. M=C3=B8ller > >=20 > Here's what I'm seeing: >=20 > jail0495> pwd > /usr/home/testuser > jail0495> ll > -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history > drwxr--r-- 2 root wheel 1024 Apr 12 02:22 testdir > jail0495> users > testuser > jail0495> cd testdir > jail0495> ll > -rw-r--r-- 2 root wheel 4096 Apr 12 02:24 textfile.txt > jail0495> rm textfile.txt > override rw-r--r-- root/wheel for textfile.txt ? y > jail0495> ll > total 0 > jail0495> >=20 > As you can see, this is of great concern. >=20 Hi Erich, I use jails extensively on my company systems here, so I am interested in this problem. I set up a test environment that I believe mirrors your= s: jail54# pwd /usr/home/glarkin jail54# ls -al testdir total 6 drwxr--r-- 2 root wheel 512 Apr 12 08:52 . drwxr-xr-x 5 glarkin glarkin 512 Apr 12 08:52 .. - -rw-r--r-- 1 root wheel 7 Apr 12 08:52 foo.txt jail54# # exit [glarkin@jail54 ~]$ cd testdir - -bash: cd: testdir: Permission denied [glarkin@jail54 ~]$ rm testdir/foo.txt rm: testdir/foo.txt: Permission denied [glarkin@jail54 ~]$ rm -rf testdir rm: testdir/foo.txt: Permission denied rm: testdir: Directory not empty My situation is slightly different than yours, since my jails are based on FreeBSD 6.4, instead of 7.x. As a first step to troubleshooting, please log in to your jail as your non-privileged user, run the following commands from its home directory, then post the permtest1.log and permtest2.log files somewhere that we can review them: truss -f -a -s 256 -o permtest1.log cd testdir truss -f -a -s 256 -o permtest2.log rm testdir/textfile.txt Also run the "df" and "mount" commands from the user's home directory inside the jail as well as from the same directory but outside of the jail context. Please post the output of those commands somewhere as well= . Thank you, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/sourcehosting/ - Follow me, follow you -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFLwxsx0sRouByUApARAtTPAJ9sacXc0MdWT9CwYUXTBu7i+Ks+qwCePUN4 D5EwzGjeAaCCdMMtsbr0G60=3D =3DYPlm -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Mon Apr 12 13:35:09 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 754501065672 for ; Mon, 12 Apr 2010 13:35:09 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id F33FE8FC2A for ; Mon, 12 Apr 2010 13:35:08 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1O1JYZ-0005f5-BE for freebsd-jail@freebsd.org; Mon, 12 Apr 2010 15:20:03 +0200 Received: from cpe-24-210-63-182.columbus.res.rr.com ([24.210.63.182]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 12 Apr 2010 15:20:03 +0200 Received: from dsamms by cpe-24-210-63-182.columbus.res.rr.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 12 Apr 2010 15:20:03 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: David Samms Date: Mon, 12 Apr 2010 08:57:58 -0400 Lines: 64 Message-ID: References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: cpe-24-210-63-182.columbus.res.rr.com User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.9) Gecko/20100331 Thunderbird/3.0.4 In-Reply-To: <4BC2E662.1050007@fuujingroup.com> Cc: freebsd-bugs@freebsd.org Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 13:35:09 -0000 On 04/12/10 05:22, Erich Jenkins, Fuujin Group Ltd wrote: > Kalle Møller wrote: > >> Could you please make a command list on what your doing and with >> output.. like this ... >> >> -- >> >> Med Venlig Hilsen >> >> Kalle R. Møller > > > Here's what I'm seeing: > > jail0495> pwd > /usr/home/testuser > jail0495> ll > -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history > drwxr--r-- 2 root wheel 1024 Apr 12 02:22 testdir > jail0495> users > testuser > jail0495> cd testdir > jail0495> ll > -rw-r--r-- 2 root wheel 4096 Apr 12 02:24 textfile.txt > jail0495> rm textfile.txt > override rw-r--r-- root/wheel for textfile.txt ? y > jail0495> ll > total 0 > jail0495> > > As you can see, this is of great concern. > > > Erich M. Jenkins > Fuujin Group Limited > I am running 7.2-RELEASE-p5 amd64 and can not duplicate your problem. Here is what I typed. As root... -------------------------------------------------------- nw-ds# cd ~nw nw-ds# mkdir test nw-ds# touch test/file nw-ds# ll | grep test drwxr-xr-x 2 root nw 512 Apr 12 08:56 test nw-ds# ll test/* -rw-r--r-- 1 root nw 0 Apr 12 08:56 test/file As normal user "nw" -------------------------------------------------------- %cd ~/test %ll total 0 -rw-r--r-- 1 root nw 0 Apr 12 08:56 file %rm file override rw-r--r-- root/nw for file? y rm: file: Permission denied %ll total 0 -rw-r--r-- 1 root nw 0 Apr 12 08:56 file From owner-freebsd-jail@FreeBSD.ORG Mon Apr 12 22:14:27 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AD6F106564A; Mon, 12 Apr 2010 22:14:27 +0000 (UTC) (envelope-from erich@fuujingroup.com) Received: from fluorine.fuujinnetworks.com (fluorine.fuujinnetworks.com [64.90.67.234]) by mx1.freebsd.org (Postfix) with ESMTP id D265D8FC1A; Mon, 12 Apr 2010 22:14:26 +0000 (UTC) Received: from [10.168.1.8] (copper.fuujinnetworks.com [64.90.67.254]) by fluorine.fuujinnetworks.com (Postfix) with ESMTPA id B1B8B439E38; Mon, 12 Apr 2010 17:14:52 -0500 (CDT) Message-ID: <4BC3A948.7010601@fuujingroup.com> Date: Mon, 12 Apr 2010 17:14:16 -0600 From: "Erich Jenkins, Fuujin Group Ltd" User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: glarkin@FreeBSD.org References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> <4BC31B31.6060201@FreeBSD.org> In-Reply-To: <4BC31B31.6060201@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: =?UTF-8?B?S2FsbGUg?=, freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org, smithi@nimnet.asn.au Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 22:14:27 -0000 Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Erich Jenkins, Fuujin Group Ltd wrote: >> Kalle Møller wrote: >> >>> Could you please make a command list on what your doing and with >>> output.. like this ... >>> >>> -- >>> >>> Med Venlig Hilsen >>> >>> Kalle R. Møller >> >> >> Here's what I'm seeing: >> >> jail0495> pwd >> /usr/home/testuser >> jail0495> ll >> -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history >> drwxr--r-- 2 root wheel 1024 Apr 12 02:22 testdir >> jail0495> users >> testuser >> jail0495> cd testdir >> jail0495> ll >> -rw-r--r-- 2 root wheel 4096 Apr 12 02:24 textfile.txt >> jail0495> rm textfile.txt >> override rw-r--r-- root/wheel for textfile.txt ? y >> jail0495> ll >> total 0 >> jail0495> >> >> As you can see, this is of great concern. >> > > Hi Erich, > > I use jails extensively on my company systems here, so I am interested > in this problem. I set up a test environment that I believe mirrors yours: > > jail54# pwd > /usr/home/glarkin > jail54# ls -al testdir > total 6 > drwxr--r-- 2 root wheel 512 Apr 12 08:52 . > drwxr-xr-x 5 glarkin glarkin 512 Apr 12 08:52 .. > - -rw-r--r-- 1 root wheel 7 Apr 12 08:52 foo.txt > jail54# # exit > [glarkin@jail54 ~]$ cd testdir > - -bash: cd: testdir: Permission denied > [glarkin@jail54 ~]$ rm testdir/foo.txt > rm: testdir/foo.txt: Permission denied > [glarkin@jail54 ~]$ rm -rf testdir > rm: testdir/foo.txt: Permission denied > rm: testdir: Directory not empty > > My situation is slightly different than yours, since my jails are based > on FreeBSD 6.4, instead of 7.x. > > As a first step to troubleshooting, please log in to your jail as your > non-privileged user, run the following commands from its home directory, > then post the permtest1.log and permtest2.log files somewhere that we > can review them: > > truss -f -a -s 256 -o permtest1.log cd testdir > > truss -f -a -s 256 -o permtest2.log rm testdir/textfile.txt > > Also run the "df" and "mount" commands from the user's home directory > inside the jail as well as from the same directory but outside of the > jail context. Please post the output of those commands somewhere as well. > > Thank you, > Greg > - -- > Greg Larkin > > http://www.FreeBSD.org/ - The Power To Serve > http://www.sourcehosting.net/ - Ready. Set. Code. > http://twitter.com/sourcehosting/ - Follow me, follow you > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iD8DBQFLwxsx0sRouByUApARAtTPAJ9sacXc0MdWT9CwYUXTBu7i+Ks+qwCePUN4 > D5EwzGjeAaCCdMMtsbr0G60= > =YPlm > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-bugs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs > To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org" Greg: Interestingly enough, this is what I get when running truss: truss: cannot open /proc/curproc/mem: No such file or directory truss: cannot open1 /proc/13713/mem: No such file or directory However, Ian made a suggestion that completely eluded me: simply look at the effective user and group info via id -p (which I should have done prior to posting in the first place, my apologies). The output was: jail0495> id -p login testuser uid root groups wheel rmtuser However, jail0495> users testuser So apparently, this install thinks the user has root privileges. Here's where it gets strange. I rebooted the box (this is in a lab), and logged back in as the user, but did not su to root. I did a few things that seem easy to follow from the command line, but please ask if anything is unclear: jail0495> id -p uid testuser groups rmtuser jail0495> pwd /usr/home/testuser jail0495> ll -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history drwxr-xr-x 2 root wheel 1024 Apr 12 02:22 testdir (this is a login with a user in the wheel group from another session) jail0495> su root Password: jail0495# cd testdir jail0495# ll total 0 jail0495# dd if=/dev/random of=testfile bs=10k count=1 1+0 records in 1+0 records out 10240 bytes transferred in 0.000632 secs (16207424 bytes/sec) jail0495# ll -rw-r--r-- 1 root wheel 10240 Apr 12 15:18 testfile jail0495# exit exit jail0495> exit (this is the end of that session) (back to the first session with the unprivileged user) jail0495> id -p login testuser uid root groups wheel rmtuser jail0495> users testuser jail0495> To be honest, my first thought was "What the hell is this!?!" So, I rebooted the box again after remembering something about user privilege escalation in an older release of NetBSD I had seen some years ago. (since we're talking jails, this problem is FreeBSD related, just to be clear) Now I get this after a fresh reboot: login as: testuser Using keyboard-interactive authentication. Password: Last login: Mon Apr 12 14:46:26 2010 from [ redacted ] jail0495> users testuser jail0495> pwd /usr/home/testuser jail0495> ll -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history drwxr-xr-x 2 root wheel 1024 Apr 12 02:22 testdir jail0495> cd testdir jail0495> ll -rw-r--r-- 1 root wheel 10240 Apr 12 15:18 testfile jail0495> rm testfile override rw-r--r-- root/wheel for testfile ? y rm: testfile: Permission denied jail0495> But watch this after an su from another session: (testuser is NOT a member of the wheel group!! and this is not the su session, but the first login session) jail0495> id -p login testuser uid root groups wheel rmtuser jail0495> users testuser jail0495> rm testfile override rw-r--r-- root/wheel for testfile ? y jail0495> ll total 0 jail0495> It gets worse. I added another user not in the wheel group, and created another group for this new user. Then I logged in as this user, and as the other test user from another session. It appears that once there has been an SU to root, ALL users have root permissions regardless of their group membership or login privileges. Since this was a buildworld copied via NFS from a build environment, it appears that something has gone terribly wrong during the build. I'm going to wipe this machine and do a completely fresh install of 7.0-REL, buildworld, and set up a jail to see if something did indeed break, or if this is an actual bug. Thank you very much to everyone who's responded to this issue. Your input has been instrumental in helping troubleshoot this. I'll post as soon as the build completes and I have a chance to test this tonight. Erich M. Jenkins Fuujin Group Limited "You should never, never doubt what no one is sure about." -- Gene Wilder From owner-freebsd-jail@FreeBSD.ORG Tue Apr 13 18:42:32 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DCFC106566C; Tue, 13 Apr 2010 18:42:32 +0000 (UTC) (envelope-from erich@fuujingroup.com) Received: from fluorine.fuujinnetworks.com (fluorine.fuujinnetworks.com [64.90.67.234]) by mx1.freebsd.org (Postfix) with ESMTP id ECC938FC29; Tue, 13 Apr 2010 18:42:31 +0000 (UTC) Received: from [10.168.1.8] (copper.fuujinnetworks.com [64.90.67.254]) by fluorine.fuujinnetworks.com (Postfix) with ESMTPA id D4DFC439E3B; Tue, 13 Apr 2010 13:42:57 -0500 (CDT) Message-ID: <4BC4C91D.7020107@fuujingroup.com> Date: Tue, 13 Apr 2010 13:42:21 -0600 From: "Erich Jenkins, Fuujin Group Ltd" User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: glarkin@FreeBSD.org References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> <4BC31B31.6060201@FreeBSD.org> <4BC3A948.7010601@fuujingroup.com> In-Reply-To: <4BC3A948.7010601@fuujingroup.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: "Kalle "@FreeBSD.ORG, freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org, smithi@nimnet.asn.au Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2010 18:42:32 -0000 Erich Jenkins, Fuujin Group Ltd wrote: > Greg Larkin wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Erich Jenkins, Fuujin Group Ltd wrote: >>> Kalle Møller wrote: >>> >>>> Could you please make a command list on what your doing and with >>>> output.. like this ... >>>> >>>> -- > Since this was a buildworld copied via NFS from a build environment, it > appears that something has gone terribly wrong during the build. I'm > going to wipe this machine and do a completely fresh install of 7.0-REL, > buildworld, and set up a jail to see if something did indeed break, or > if this is an actual bug. > > Thank you very much to everyone who's responded to this issue. Your > input has been instrumental in helping troubleshoot this. I'll post as > soon as the build completes and I have a chance to test this tonight. > > Erich M. Jenkins > Fuujin Group Limited > > "You should never, never doubt what no one is sure about." > -- Gene Wilder > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" All: After a fresh buildworld on this box, I am no longer seeing this user permissions issue, which leads me to believe something is very very wrong with the way it was built on the build server for the cluster. If anyone would like, I'll tar up the build environment and put it somewhere it can be accessed, assuming someone has the time/inclination to sift through it and see what happened. I spent a few hours this morning going through it and can't find anything out of the ordinary, but most of the inner working of jails is a "black box" to me. Thank you for all the feedback. I'm setting up the new build environment for the cluster to fix this issue for deployed systems. Erich M. Jenkins Fuujin Group Limited "You should never, never doubt what no one is sure about." -- Gene Wilder From owner-freebsd-jail@FreeBSD.ORG Fri Apr 16 01:54:16 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E9411065677; Fri, 16 Apr 2010 01:54:16 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id 130B78FC12; Fri, 16 Apr 2010 01:54:15 +0000 (UTC) Received: from 68-189-245-235.dhcp.oxfr.ma.charter.com ([68.189.245.235] helo=cube.entropy.prv) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1O2al0-000KSj-7r; Thu, 15 Apr 2010 21:54:14 -0400 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by cube.entropy.prv (Postfix) with ESMTP id 9D4BB3E75745; Thu, 15 Apr 2010 21:54:10 -0400 (EDT) Message-ID: <4BC7C33B.9000107@FreeBSD.org> Date: Thu, 15 Apr 2010 21:54:03 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "Erich Jenkins, Fuujin Group Ltd" References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> <4BC31B31.6060201@FreeBSD.org> <4BC3A948.7010601@fuujingroup.com> <4BC4C91D.7020107@fuujingroup.com> In-Reply-To: <4BC4C91D.7020107@fuujingroup.com> X-Enigmail-Version: 0.96.0 OpenPGP: id=1C940290 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.3 (/) Cc: "Kalle "@FreeBSD.ORG, freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org, smithi@nimnet.asn.au Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 01:54:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erich Jenkins, Fuujin Group Ltd wrote: > Erich Jenkins, Fuujin Group Ltd wrote: >> Greg Larkin wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Erich Jenkins, Fuujin Group Ltd wrote: >>>> Kalle M=C3=B8ller wrote: >>>> >>>>> Could you please make a command list on what your doing and with >>>>> output.. like this ... >>>>> >>>>> --=20 >=20 > >=20 >> Since this was a buildworld copied via NFS from a build environment, >> it appears that something has gone terribly wrong during the build. >> I'm going to wipe this machine and do a completely fresh install of >> 7.0-REL, buildworld, and set up a jail to see if something did indeed >> break, or if this is an actual bug. >> >> Thank you very much to everyone who's responded to this issue. Your >> input has been instrumental in helping troubleshoot this. I'll post as >> soon as the build completes and I have a chance to test this tonight. >> >> Erich M. Jenkins >> Fuujin Group Limited >> >> "You should never, never doubt what no one is sure about." >> -- Gene Wilder >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >=20 > All: >=20 > After a fresh buildworld on this box, I am no longer seeing this user > permissions issue, which leads me to believe something is very very > wrong with the way it was built on the build server for the cluster. If > anyone would like, I'll tar up the build environment and put it > somewhere it can be accessed, assuming someone has the time/inclination > to sift through it and see what happened. I spent a few hours this > morning going through it and can't find anything out of the ordinary, > but most of the inner working of jails is a "black box" to me. >=20 > Thank you for all the feedback. I'm setting up the new build environmen= t > for the cluster to fix this issue for deployed systems. >=20 > Erich M. Jenkins > Fuujin Group Limited >=20 > "You should never, never doubt what no one is sure about." > -- Gene Wilder Hi Erich, I'm glad to hear that you got everything sorted out! If it's possible to set up the previous environment in a virtual machine or some spare hardware and grant me an ssh login, I would be interested in doing more tests to see if I can figure out what's going on. Whether there's a bug in the jail subsystem or a hole in the provisioning process that allows the privilege escalation, it would certainly be good to find the root cause. Thank you, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/sourcehosting/ - Follow me, follow you -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFLx8M70sRouByUApARAnpwAJ0f2+XC2hwTSrkO/v8DUPXpchdHygCeMWc0 M4E6SOz8kPRJYdwTXOkF2lY=3D =3Dz7l7 -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Fri Apr 16 09:20:36 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87C551065677; Fri, 16 Apr 2010 09:20:36 +0000 (UTC) (envelope-from erich@fuujingroup.com) Received: from fluorine.fuujinnetworks.com (fluorine.fuujinnetworks.com [64.90.67.234]) by mx1.freebsd.org (Postfix) with ESMTP id 5C41D8FC1E; Fri, 16 Apr 2010 09:20:36 +0000 (UTC) Received: from [10.168.1.8] (copper.fuujinnetworks.com [64.90.67.254]) by fluorine.fuujinnetworks.com (Postfix) with ESMTPA id 2C492439E3B; Fri, 16 Apr 2010 04:21:02 -0500 (CDT) Message-ID: <4BC839EA.30307@fuujingroup.com> Date: Fri, 16 Apr 2010 04:20:26 -0600 From: "Erich Jenkins, Fuujin Group Ltd" User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: glarkin@FreeBSD.org References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> <4BC31B31.6060201@FreeBSD.org> <4BC3A948.7010601@fuujingroup.com> <4BC4C91D.7020107@fuujingroup.com> <4BC7C33B.9000107@FreeBSD.org> In-Reply-To: <4BC7C33B.9000107@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org, smithi@nimnet.asn.au Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 09:20:36 -0000 Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Erich Jenkins, Fuujin Group Ltd wrote: >> Erich Jenkins, Fuujin Group Ltd wrote: >>> Greg Larkin wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Erich Jenkins, Fuujin Group Ltd wrote: >>>>> Kalle Møller wrote: >>>>> >>>>>> Could you please make a command list on what your doing and with >>>>>> output.. like this ... >>>>>> >>>>>> -- >> > > Hi Erich, > > I'm glad to hear that you got everything sorted out! If it's possible > to set up the previous environment in a virtual machine or some spare > hardware and grant me an ssh login, I would be interested in doing more > tests to see if I can figure out what's going on. > > Whether there's a bug in the jail subsystem or a hole in the > provisioning process that allows the privilege escalation, it would > certainly be good to find the root cause. > > Thank you, > Greg > - -- > Greg Larkin > > http://www.FreeBSD.org/ - The Power To Serve > http://www.sourcehosting.net/ - Ready. Set. Code. > http://twitter.com/sourcehosting/ - Follow me, follow you > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iD8DBQFLx8M70sRouByUApARAnpwAJ0f2+XC2hwTSrkO/v8DUPXpchdHygCeMWc0 > M4E6SOz8kPRJYdwTXOkF2lY= > =z7l7 > -----END PGP SIGNATURE----- > Greg: I'd be happy to get this set up in the lab for you to look at, but at the moment, all of our lab machines are in use (I rolled this box over to a community project after buildworld "cleaned" it up). I try to provide hardware resources to FreeBSD committers and developers hunting down problems, and at the moment, I'm at the limit, there's no hardware left. As soon as something becomes available, I'll drop you a line and get this onto a test server. Generally, I create a VRF for each test environment with outside access via ssh and an internet connection for fetching whatever may be necessary (most often 10mbps). OpenVPN access is also available depending on what the committer/developer wants. Thank you again for your interest in this anomaly (for lack of a better description). I'll get something up for you as soon as a box becomes available. Any preference on platform (considering this did not seem to be platform dependent)? I can do sparc64, amd64/x86-64, itanium2, and i386/x86-32. The environment I'm experiencing the problem in is x86-32, and I think someone is almost done with a DL580-G3, so I can roll that out when it becomes available. Erich M. Jenkins Fuujin Group Limited "You should never, never doubt what no one is sure about." -- Gene Wilder