From owner-freebsd-stable@FreeBSD.ORG Wed Dec 28 23:29:12 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86DE9106564A; Wed, 28 Dec 2011 23:29:12 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id AD4B48FC0A; Wed, 28 Dec 2011 23:29:11 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 4CB186D55; Wed, 28 Dec 2011 23:11:27 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id D8CDF86DB; Thu, 29 Dec 2011 00:11:26 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Stephen Montgomery-Smith References: <4EFB69CA.9080804@missouri.edu> Date: Thu, 29 Dec 2011 00:11:26 +0100 In-Reply-To: <4EFB69CA.9080804@missouri.edu> (Stephen Montgomery-Smith's message of "Wed, 28 Dec 2011 13:11:06 -0600") Message-ID: <86zkecnvfl.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Marin Atanasov Nikolov , ml-freebsd-stable Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 23:29:12 -0000 Stephen Montgomery-Smith writes: > I agree with the poster that the jail didn't really escape, but was > "sprung from the outside." Easily prevented by making sure that every jail's root directory is unreachable to unprivileged users. Say your jails are in /jail/foo, /jail/bar and /jail/baz; if /jail is readable only by root (and perhaps wheel), it won't be possible for anyone else to move a directory out of a jail. > But more than that, I imagine it would be very hard to stop this > without either completely rethinking how unix filesystems work, or > adding significant overhead to the OS so that it checks every single > "mv" command against all existing jails. Not really. It is trivial to get a list of processes that have a given vnode as their wd: % fstat $PWD USER CMD PID FD MOUNT INUM MODE SZ|DV R/W NAME des fstat 80052 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des des zsh 77329 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des des zsh 26841 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des des emacs 2577 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des des zsh 2574 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des So if any of these processes are jailed and the new location is outside the jail root, the process should have its wd either forcibly changed (e.g. to the jail root) or invalidated somehow. The problem is that you not only have to check the directory you're moving, but all its subdirectories as well. I can think of ways to speed up the process; they require non-trivial changes to VFS, but not "completely rethinking how unix filesystems work". DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no