Date: Fri, 6 May 2011 20:44:37 GMT From: Chris Rees <utisoft@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/156853: Update docs: jail(8) security issues with world-readable jail root Message-ID: <201105062044.p46KibYL031658@red.freebsd.org> Resent-Message-ID: <201105062050.p46KoDIh088241@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 156853 >Category: ports >Synopsis: Update docs: jail(8) security issues with world-readable jail root >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Fri May 06 20:50:13 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Chris Rees >Release: >Organization: >Environment: >Description: I brought this problem up on freebsd-security two years ago [1], and promptly forgot about it, but then another person [2] has brought it up again... Jails have a problem in that if the jail directory is world-readable, an attacker with root access to the jail can create a setuid binary for their own use in the host environment (if they also have this access), thus breaking root in the host. [1] http://freebsd.1045724.n5.nabble.com/Thoughts-on-jail-privilege-FAQ-submission-td4219099.html [2] http://lists.freebsd.org/pipermail/freebsd-security/2011-May/005886.html >How-To-Repeat: Follow instructions in the Handbook or jail(8) manpage, create a setuid binary inside the jail as root, and run it as unprivileged user in the host. >Fix: No fix, but precautions can be taken; this exploit is impossible if the jail's files are not world-readable. Docs patches for the Handbook [3] and for the jail(8) manpage [4] are provided. - Advise 0700 permissions for jail root directory to stop various exploits Patch submitted by: Chris Rees (utisoft@gmail.com) Discovered by: Chris Rees (utisoft@gmail.com) and Pétur Ingi Egilsson (petur@petur.eu) [3] http://www.bayofrum.net/~crees/patches/jail-secure-handbook.diff [4] http://www.bayofrum.net/~crees/patches/jail-secure-manpage.diff >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105062044.p46KibYL031658>