Date: Tue, 6 Apr 2010 22:33:30 GMT From: Dan Naumov <dan.naumov@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/145444: sysinstall and sade can access host's disks from within a jail Message-ID: <201004062233.o36MXURi031168@www.freebsd.org> Resent-Message-ID: <201004062240.o36Me2no014640@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 145444 >Category: kern >Synopsis: sysinstall and sade can access host's disks from within a jail >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 06 22:40:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Dan Naumov >Release: 8.0 >Organization: >Environment: FreeBSD atombsd.localdomain 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Tue Jan 5 21:11:58 UTC 2010 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 >Description: If you run "sade" or "sysinstall" within a jail, you can see the host system's disks from within the jail, giving a malicious superuser within the jail the capability to inspect the disk and partition layout of the host. Actual destructive actions to the hosts disk from within such an instance of "sade" / "sysinstall" do not seem possible (attempting to write out changes returns an error), but nevertheless such peeking capability is still troubling. It is my understanding that this is not intended behaviour. >How-To-Repeat: 1) Install FreeBSD 8.0 2) Create and install a jail 3) Start the jail 4) Log into the jail as a user with root priviledges (locally via host's console or remotely, connecting to an sshd running within the jail) 5) Run "sade" or "sysinstall) >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201004062233.o36MXURi031168>