From owner-freebsd-security@FreeBSD.ORG  Thu Mar  6 02:13:59 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8E135877
 for <freebsd-security@freebsd.org>; Thu,  6 Mar 2014 02:13:59 +0000 (UTC)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com
 [IPv6:2a00:1450:4010:c04::235])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1A6B8C85
 for <freebsd-security@freebsd.org>; Thu,  6 Mar 2014 02:13:58 +0000 (UTC)
Received: by mail-lb0-f181.google.com with SMTP id c11so1274994lbj.40
 for <freebsd-security@freebsd.org>; Wed, 05 Mar 2014 18:13:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=googlemail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=QIWdkAkogWGuWNApvGMbaAwCwdhsuIJT5w5PN8IhtQY=;
 b=ZHI0MkMqwRHtH1XSWzMEY9kgl9Q7wDvfTC/Wgw8FG6qi3enqnBBIIoUl0lP+5EsKx6
 CcNwvGOb+mvqjULqwZKUoYtA4HSoUtVSonUBzDcnxSYMn4K7LIo/YAmehRri+k/nFjMm
 3LRhOt66avKEl/k0vt7oOUgKiSftLMwBIR58FJQC4QLvfBTQtzHIebNzo53HiSpqUzn6
 qWAcVx+TrZt4Zq6z/s51pl3BvE9izaOb5PoccPNBZdvOGN6rogY18+Gai/PWWyK7le6l
 B/LguV9EKsCLxfsQ20QoBAX04dJ5DkE6VdVOJfNhS11UUwVAJj/mbuBtVomvQAtVv6jD
 HpFg==
MIME-Version: 1.0
X-Received: by 10.112.173.6 with SMTP id bg6mr5607908lbc.17.1394072037160;
 Wed, 05 Mar 2014 18:13:57 -0800 (PST)
Received: by 10.112.35.167 with HTTP; Wed, 5 Mar 2014 18:13:57 -0800 (PST)
In-Reply-To: <5317B597.5050900@delphij.net>
References: <201403052307.s25N7NoD045308@cgiserv.freebsd.org>
 <5317B597.5050900@delphij.net>
Date: Thu, 6 Mar 2014 02:13:57 +0000
Message-ID: <CAFHbX1KrdEtmJn4ZAj1ER41a+YcyjAx_9fiDAySYK2YRN0xy_g@mail.gmail.com>
Subject: Re: misc/187307: Security vulnerability with FreeBSD Jail
From: Tom Evans <tevans.uk@googlemail.com>
To: Xin LI <d@delphij.net>
Content-Type: text/plain; charset=UTF-8
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>,
 Nicola Galante <galante@veritas.sao.arizona.edu>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 02:13:59 -0000

On Wed, Mar 5, 2014 at 11:39 PM, Xin Li <delphij@delphij.net> wrote:
> This is NOT a problem with jail.  For starters, it's very bad idea to
> give out host shell account, privileged or not, to jail users if they
> are not trusted.  Let's consider this scenario:
>
> jail$ su -l
> jail# cp /usr/bin/less /bin/root_shell
> jail# chown root:wheel /bin/root_shell
> jail# chmod 6555 /bin/root_shell
> jail# logout
> jail$ logout
>
> Then, you basically have a setuid binary that can be reached from host
> system.  As an attacker I would do:
>
> host$ /path/to/jail/bin/root_shell
> #
>

As a defender I would hope that someone has already done:

host# chmod 700 /path/to

You're right though, jail users have no business on the host.

Cheers

Tom