Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 29 Dec 2007 20:31:33 -0500
From:      "Dr. Aharon Friedman" <a.friedman@trunutrition.com>
To:        <freebsd-stable@freebsd.org>
Cc:        =?iso-8859-1?Q?'Johan_Str=F6m'?= <johan@stromnet.se>
Subject:   RE: I just broke out of a FreeBSD jail.. Known bug??
Message-ID:  <05b801c84a83$b76219d0$292d280a@friedman.net>
In-Reply-To: <91064C44-1A41-4FCB-A718-1EF3A63E2273@stromnet.se>
References:  <91064C44-1A41-4FCB-A718-1EF3A63E2273@stromnet.se>
next in thread | previous in thread | raw e-mail | index | archive | help 
It does not look like you broke it.  Moving directories between jails =
while
they are running is not part of the game as it breaks chroot.  You could
manipulate files between jails with the jails up by using networking, =
such
as ftp.

Obviously, one could program chroot to be able to "eat" this stuff, but =
it
will make the system cumbersome.  Remember, Jails are supposed to =
protect
against an outside attacker, not against the sys admin.

Aharon

-----Original Message-----
From: Johan Str=F6m [mailto:johan@stromnet.se]=20
Sent: Friday, December 28, 2007 7:16 AM
To: freebsd-stable@freebsd.org
Subject: I just broke out of a FreeBSD jail.. Known bug??

Hello list!

I'm running a FreeBSD 6.2-p8 box with a few jails. The other day a =20
user of mine uploaded a number of files to one jail, then I (in the =20
actual system outside of all jails) moved that directory to another =20
jail.. When I later did some chdiring in the original jail, I found =20
my self standing in my other jails pwd and beeing able to read/=20
manipulate files!..

Example:

jb-1 (the base machine, jailbox-1)
shell (jail 1)
core (jail 2)

shell /home/johan# pwd
/home/johan
shell /home/johan# ls
.cshrc          .irssi          .login_conf     .mailrc         .profile =

         .shrc           .zcompdump      public_html
.histfile       .login          .mail_aliases   .noident        .rhosts  =

         .ssh            .zshrc
shell /home/johan# mkdir test
shell /home/johan# cd test
shell /home/johan/test# touch asd
shell /home/johan/test# ls -al
total 4
drwxr-xr-x  2 root   root   512 Dec 28 13:09 .
drwxr-x--x  6 johan  johan  512 Dec 28 13:09 ..
-rw-r--r--  1 root   root    0 Dec 28 13:09 asd
shell /home/johan/test#

Then moving it on the root box

jb-1 /usr/jails# mv shell/home/johan/test core/home/johan/
jb-1 /usr/jails#

And back on shell jail:

shell /home/johan/test# ls
asd
shell /home/johan/test# pwd
pwd: .: No such file or directory
shell /home/johan/test# cd ..
shell /home/johan# ls
.cshrc          .lesshst        .mailrc         .shrc           .vimrc   =

         file.big        roundcube.sql   www.tar.gz
.histfile       .login          .mysql_history  .ssh            .zcompdu =

mp      pics            stuff
.history        .login_conf     .profile        .vim            .zshrc   =

         postfix-2.4.5   test
.irssi          .mail_aliases   .rhosts         .viminfo        =20
cacert.pem      public_html     vmail.tar.gz
shell /home/johan#

Thats my home dir on core!.. That should very much not be visible =20
there! I have full access now (from the wrong jail!)

Known bug or did I just stumble upon something pretty bad??

--
Johan Str=F6m
Stromnet
johan@stromnet.se
http://www.stromnet.se/




No virus found in this outgoing message.
Checked by AVG Free Edition.=20
Version: 7.5.516 / Virus Database: 269.17.11/1201 - Release Date: =
12/28/2007
11:51 AM
=20

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05b801c84a83$b76219d0$292d280a>