Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 Dec 2011 00:11:26 +0100
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        Stephen Montgomery-Smith <stephen@missouri.edu>
Cc:        freebsd-security@freebsd.org, Marin Atanasov Nikolov <dnaeon@gmail.com>, ml-freebsd-stable <freebsd-stable@freebsd.org>
Subject:   Re: Escaping from a jail with root privileges on the host
Message-ID:  <86zkecnvfl.fsf@ds4.des.no>
In-Reply-To: <4EFB69CA.9080804@missouri.edu> (Stephen Montgomery-Smith's message of "Wed, 28 Dec 2011 13:11:06 -0600")
References:  <CAJ-UWtQnYWb8TUzk91Z%2BCxgfVsDM=WtBDrpP_V9pBnv7ar47Fw@mail.gmail.com> <4EFB69CA.9080804@missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
Stephen Montgomery-Smith <stephen@missouri.edu> writes:
> I agree with the poster that the jail didn't really escape, but was
> "sprung from the outside."

Easily prevented by making sure that every jail's root directory is
unreachable to unprivileged users.  Say your jails are in /jail/foo,
/jail/bar and /jail/baz; if /jail is readable only by root (and perhaps
wheel), it won't be possible for anyone else to move a directory out of
a jail.

> But more than that, I imagine it would be very hard to stop this
> without either completely rethinking how unix filesystems work, or
> adding significant overhead to the OS so that it checks every single
> "mv" command against all existing jails.

Not really.  It is trivial to get a list of processes that have a given
vnode as their wd:

% fstat $PWD
USER     CMD          PID   FD MOUNT      INUM MODE         SZ|DV R/W NAME
des      fstat      80052   wd /home/des      3 drwxr-xr-x     398  r  /hom=
e/des
des      zsh        77329   wd /home/des      3 drwxr-xr-x     398  r  /hom=
e/des
des      zsh        26841   wd /home/des      3 drwxr-xr-x     398  r  /hom=
e/des
des      emacs       2577   wd /home/des      3 drwxr-xr-x     398  r  /hom=
e/des
des      zsh         2574   wd /home/des      3 drwxr-xr-x     398  r  /hom=
e/des

So if any of these processes are jailed and the new location is outside
the jail root, the process should have its wd either forcibly changed
(e.g. to the jail root) or invalidated somehow.

The problem is that you not only have to check the directory you're
moving, but all its subdirectories as well.  I can think of ways to
speed up the process; they require non-trivial changes to VFS, but not
"completely rethinking how unix filesystems work".

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86zkecnvfl.fsf>