From owner-freebsd-bugs@FreeBSD.ORG  Tue Apr  6 22:40:02 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 63262106566B
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  6 Apr 2010 22:40:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 254DB8FC13
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  6 Apr 2010 22:40:02 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o36Me2nW014641
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 6 Apr 2010 22:40:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o36Me2no014640;
	Tue, 6 Apr 2010 22:40:02 GMT (envelope-from gnats)
Resent-Date: Tue, 6 Apr 2010 22:40:02 GMT
Resent-Message-Id: <201004062240.o36Me2no014640@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dan Naumov <dan.naumov@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BD2381065670
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue,  6 Apr 2010 22:33:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id AB25F8FC17
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue,  6 Apr 2010 22:33:30 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o36MXUct031169
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 6 Apr 2010 22:33:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o36MXURi031168;
	Tue, 6 Apr 2010 22:33:30 GMT (envelope-from nobody)
Message-Id: <201004062233.o36MXURi031168@www.freebsd.org>
Date: Tue, 6 Apr 2010 22:33:30 GMT
From: Dan Naumov <dan.naumov@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/145444: sysinstall and sade can access host's disks from
	within a jail
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2010 22:40:02 -0000


>Number:         145444
>Category:       kern
>Synopsis:       sysinstall and sade can access host's disks from within a jail
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 06 22:40:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Dan Naumov
>Release:        8.0
>Organization:
>Environment:
FreeBSD atombsd.localdomain 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Tue Jan  5 21:11:58 UTC 2010     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
If you run "sade" or "sysinstall" within a jail, you can see the host system's disks from within the jail, giving a malicious superuser within the jail the capability to inspect the disk and partition layout of the host.

Actual destructive actions to the hosts disk from within such an instance of "sade" / "sysinstall" do not seem possible (attempting to write out changes returns an error), but nevertheless such peeking capability is still troubling.

It is my understanding that this is not intended behaviour.
>How-To-Repeat:
1) Install FreeBSD 8.0
2) Create and install a jail
3) Start the jail
4) Log into the jail as a user with root priviledges (locally via host's console or remotely, connecting to an sshd running within the jail)
5) Run "sade" or "sysinstall)
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: