From owner-freebsd-security@FreeBSD.ORG  Thu Mar  6 00:54:44 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 5E86297B;
 Thu,  6 Mar 2014 00:54:44 +0000 (UTC)
Received: from m2.gritton.org (gritton.org [199.192.164.235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3D9CD656;
 Thu,  6 Mar 2014 00:54:43 +0000 (UTC)
Received: from [192.168.0.34] (c-50-168-192-61.hsd1.ut.comcast.net
 [50.168.192.61]) (authenticated bits=0)
 by m2.gritton.org (8.14.7/8.14.7) with ESMTP id s260SiA8055544;
 Wed, 5 Mar 2014 17:28:44 -0700 (MST)
 (envelope-from jamie@freebsd.org)
Message-ID: <5317C135.6060404@freebsd.org>
Date: Wed, 05 Mar 2014 17:28:37 -0700
From: James Gritton <jamie@freebsd.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: d@delphij.net, Nicola Galante <galante@veritas.sao.arizona.edu>
Subject: Re: misc/187307: Security vulnerability with FreeBSD Jail
References: <201403052307.s25N7NoD045308@cgiserv.freebsd.org>
 <5317B597.5050900@delphij.net>
In-Reply-To: <5317B597.5050900@delphij.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 06 Mar 2014 02:08:42 +0000
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>,
 "secteam@FreeBSD.org" <secteam@FreeBSD.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 00:54:44 -0000

On 3/5/2014 4:39 PM, Xin Li wrote:

 > This is NOT a problem with jail.  For starters, it's very bad idea to
 > give out host shell account, privileged or not, to jail users if they
 > are not trusted.  Let's consider this scenario:
 >
 > jail$ su -l
 > jail# cp /usr/bin/less /bin/root_shell
 > jail# chown root:wheel /bin/root_shell
 > jail# chmod 6555 /bin/root_shell
 > jail# logout
 > jail$ logout
 >
 > Then, you basically have a setuid binary that can be reached from host
 > system.  As an attacker I would do:
 >
 > host$ /path/to/jail/bin/root_shell

That's an important point: jails are good for their *own* security,
but they make the base system insecure for allowing untrusted users.
I can see user accounts for the admin's own use (likely the condition
that was originally reported), but that's the only account I would
consider allowing.

- Jamie