Date: Tue, 5 Jan 2010 09:32:25 GMT From: Vedad KAJTAZ <vedad@kajtaz.net> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/142341: Jail escape when cwd is moved from the host system Message-ID: <201001050932.o059WP0F004402@www.freebsd.org> Resent-Message-ID: <201001050940.o059e2uO093454@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 142341 >Category: misc >Synopsis: Jail escape when cwd is moved from the host system >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 05 09:40:02 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Vedad KAJTAZ >Release: 7.2-RELEASE-p4 >Organization: Vedad KAJTAZ >Environment: FreeBSD kenny.osilex.net 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >Description: Given the following setup: - A host system - A jail system located in /usr/local/jails/J1 on the host system - A shell open in the jail system, with cwd set to /some/path (therefore, /usr/local/jails/J1/some/path on the host system). When the root moves the /usr/local/jails/J1/some/path folder somewhere else (say in /usr/local/jails/J2/some/path), the jail shell (as any other jail process) in no longer rooted and has access to the whole filesystem on the host. Though this is not a common situation, it may happen (and did happen to me). Best regards, >How-To-Repeat: Always repeatable >Fix: None known >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201001050932.o059WP0F004402>