From owner-freebsd-security@FreeBSD.ORG Wed May 11 05:28:27 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98BAF106566C for ; Wed, 11 May 2011 05:28:27 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by mx1.freebsd.org (Postfix) with ESMTP id 580268FC13 for ; Wed, 11 May 2011 05:28:27 +0000 (UTC) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id p4B5SGfT055273 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 May 2011 05:28:16 GMT (envelope-from snabb@epipe.com) X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com p4B5SGfT055273 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default; t=1305091697; x=1305696497; bh=Dpc7jeLYgDIJgo++THYQH0ZJWLhj2HZuvw8FTtrQiEI=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=lOeyMDvV6IeOTRFCqpekFW64TdviiqvPqmyJbnwb6/J+i9TMcp7MVLnjfGFplm+AR gi169AMQLvFPT+K+/mKXqtiCvvI2w6MwKONYlXA6onzBrrdKh0FVMtfMbAJxbC3L9I zKBagxf0zY49t7DOWq86EMfbP9k1LLaZLASzS200= Date: Wed, 11 May 2011 05:28:16 +0000 (UTC) From: Janne Snabb To: Bakul Shah In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com> Message-ID: References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (tiktik.epipe.com [IPv6:2001:1828:0:3::2]); Wed, 11 May 2011 05:28:17 +0000 (UTC) Cc: Jamie Landeg Jones , Jason Hellenthal , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, Poul-Henning Kamp , =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= , utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 05:28:27 -0000 On Tue, 10 May 2011, Bakul Shah wrote: > Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required. I do not think that this should be enforced in kernel, in the jail(8) command nor anywhere else. UNIX rm(1) is not opening a pop-up window asking "are you sure?" if you do "rm -rf /". The OS should not impose arbitrary restrictions based on some random assumptions on how a particular OS facility is going to be used. I can easily think of several scenarios where such a restriction would cause more trouble than benefit. One example: I might have zero unprivileged users in the jail host (thus the restriction would be unnecessary). I need to run a cron job in the jail host which updates some data within the jails. I rather not do this as root but instead use a separate non-root user for the purpose (as it is generally a good practice to run everything as non-root unless it is really necessary to be root). The proposed restriction would defeat this possibility and force me to run all jail-related tasks as root in the jail host, which might open it up to some other potential security issues. This should go in to the documentation as a recommendation for some common jail use cases, but seriously, really not in the code, please. In UNIX we do not want to prevent people from shooting themselves in the foot. We should assume that the system administrator knows what they want and should not restrict their freedom to do so. Just my thoughts, -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/