From owner-freebsd-security@FreeBSD.ORG  Wed May 11 06:21:52 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BB6AB106564A
	for <freebsd-security@freebsd.org>;
	Wed, 11 May 2011 06:21:51 +0000 (UTC)
	(envelope-from bakul@bitblocks.com)
Received: from mail.bitblocks.com (ns1.bitblocks.com [173.228.5.8])
	by mx1.freebsd.org (Postfix) with ESMTP id 9939C8FC17
	for <freebsd-security@freebsd.org>;
	Wed, 11 May 2011 06:21:51 +0000 (UTC)
Received: from bitblocks.com (localhost [127.0.0.1])
	by mail.bitblocks.com (Postfix) with ESMTP id 2731EB827;
	Tue, 10 May 2011 23:21:51 -0700 (PDT)
To: Janne Snabb <snabb@epipe.com>
In-reply-to: Your message of "Wed, 11 May 2011 05:28:16 -0000."
	<alpine.BSF.2.00.1105110456050.33272@tiktik.epipe.com> 
References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no>
	<20110510174910.64E48B827@mail.bitblocks.com>
	<alpine.BSF.2.00.1105110456050.33272@tiktik.epipe.com>
Comments: In-reply-to Janne Snabb <snabb@epipe.com>
	message dated "Wed, 11 May 2011 05:28:16 -0000."
Date: Tue, 10 May 2011 23:21:51 -0700
From: Bakul Shah <bakul@bitblocks.com>
Message-Id: <20110511062151.2731EB827@mail.bitblocks.com>
X-Mailman-Approved-At: Wed, 11 May 2011 11:04:43 +0000
Cc: Jamie Landeg Jones <jamie@bishopston.net>,
	Jason Hellenthal <jhell@DataIX.net>, feld@feld.me,
	Edho P Arief <edhoprima@gmail.com>, freebsd-security@freebsd.org,
	Poul-Henning Kamp <phk@phk.freebsd.dk>, Bakul Shah <bakul@bitblocks.com>,
	=?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, utisoft@gmail.com
Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) 
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2011 06:21:52 -0000

On Wed, 11 May 2011 05:28:16 -0000 Janne Snabb <snabb@epipe.com>  wrote:
> On Tue, 10 May 2011, Bakul Shah wrote:
> 
> > Dumb question: the jail command can refuse to run unless the
> > parent of a jail root is 0700. Would that work? No kernel hack
> > required.
> 
> I do not think that this should be enforced in kernel, in the jail(8)
> command nor anywhere else. UNIX rm(1) is not opening a pop-up window
> asking "are you sure?" if you do "rm -rf /". The OS should not
> impose arbitrary restrictions based on some random assumptions on
> how a particular OS facility is going to be used.
	...
> This should go in to the documentation as a recommendation for some
> common jail use cases, but seriously, really not in the code, please.
> 
> In UNIX we do not want to prevent people from shooting themselves
> in the foot. We should assume that the system administrator knows
> what they want and should not restrict their freedom to do so.

I agree that people should not be prevented from shooting
themselves in the foot but I do suggest that "accidental"
footshooting can be prevented by leaving the gun safey on.
Force them to take some explicit action for footshooting!

So let me modify my dumb suggestion: allow running a jail if
either the jail's parent dir has mode 0700 or the user
specified -f flag (analogous to rm -f). [You may still not
like it, but so it goes!]