From owner-freebsd-security  Mon Sep  9  7:27:30 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 095B037B400
	for <freebsd-security@FreeBSD.ORG>; Mon,  9 Sep 2002 07:27:21 -0700 (PDT)
Received: from mail.ubergeeks.com (lorax.ubergeeks.com [209.145.65.55])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 634FF43E42
	for <freebsd-security@FreeBSD.ORG>; Mon,  9 Sep 2002 07:27:20 -0700 (PDT)
	(envelope-from adrian+freebsd-security@ubergeeks.com)
Received: from mail.ubergeeks.com (localhost [127.0.0.1])
	by mail.ubergeeks.com (8.12.5/8.12.5) with ESMTP id g89ERJel008934;
	Mon, 9 Sep 2002 10:27:19 -0400 (EDT)
	(envelope-from adrian+freebsd-security@ubergeeks.com)
Received: from localhost (adrian@localhost)
	by mail.ubergeeks.com (8.12.5/8.12.5/Submit) with ESMTP id g89ERJPV008931;
	Mon, 9 Sep 2002 10:27:19 -0400 (EDT)
	(envelope-from adrian+freebsd-security@ubergeeks.com)
X-Authentication-Warning: lorax.ubergeeks.com: adrian owned process doing -bs
Date: Mon, 9 Sep 2002 10:27:19 -0400 (EDT)
From: Adrian Filipi-Martin <adrian+freebsd-security@ubergeeks.com>
To: Benjamin Krueger <benjamin@seattleFenix.net>
Cc: Hans Zaunere <zaunere@yahoo.com>, <freebsd-security@FreeBSD.ORG>
Subject: Re: jail() House Rock
In-Reply-To: <20020908044125.C98271@mail.seattleFenix.net>
Message-ID: <20020909102116.M8908-100000@lorax.ubergeeks.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, 8 Sep 2002, Benjamin Krueger wrote:

>   Think carefully about exactly what kind of privileges your clients get. A
> friend asked me recently if his users could escalate privileges if they have a
> normal user account on the main server, and root inside the jail. After some
> thinking we outlined a situation in which the user creates a suid binary to
> escalate any user to root inside the jail, and then runs it as a normal user
> outside the jail. Instant root.

	We stumbled accross this situation a year or so ago as we converted
our development environments to be jails on the developer workstations.

	A reasonable solution is to block access to the jailed filesystems
from non-jailed accounts.  Just do the following:

	install -m u=rwx,go= -d /usr/fence
	install -d /usr/fence/jail

	Then use the fenced off directory as your jail root.  We are
successfully running desktops with multiple developer jails in this sort of
configuration and things work great.  This exclued anyone but root from
using suid binaries from a jail, and well, root's already root.

	Adrian
--
[ adrian@ubergeeks.com ]


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message