From owner-freebsd-stable@FreeBSD.ORG Sun Dec 30 01:58:11 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D16B516A419 for ; Sun, 30 Dec 2007 01:58:11 +0000 (UTC) (envelope-from a.friedman@trunutrition.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.247]) by mx1.freebsd.org (Postfix) with ESMTP id 93E9B13C465 for ; Sun, 30 Dec 2007 01:58:11 +0000 (UTC) (envelope-from a.friedman@trunutrition.com) Received: by an-out-0708.google.com with SMTP id c14so835681anc.13 for ; Sat, 29 Dec 2007 17:58:10 -0800 (PST) Received: by 10.100.209.11 with SMTP id h11mr22656033ang.52.1198978305217; Sat, 29 Dec 2007 17:31:45 -0800 (PST) Received: from aharonlap ( [71.41.74.141]) by mx.google.com with ESMTPS id b14sm13996864ana.26.2007.12.29.17.31.42 (version=SSLv3 cipher=RC4-MD5); Sat, 29 Dec 2007 17:31:43 -0800 (PST) From: "Dr. Aharon Friedman" To: References: <91064C44-1A41-4FCB-A718-1EF3A63E2273@stromnet.se> Date: Sat, 29 Dec 2007 20:31:33 -0500 Organization: TRU Nutrition Message-ID: <05b801c84a83$b76219d0$292d280a@friedman.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <91064C44-1A41-4FCB-A718-1EF3A63E2273@stromnet.se> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 thread-index: AchKWMnkKT2IypkJSS6LCu0x5mqxcgAKX9qg Cc: =?iso-8859-1?Q?'Johan_Str=F6m'?= Subject: RE: I just broke out of a FreeBSD jail.. Known bug?? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 01:58:11 -0000 It does not look like you broke it. Moving directories between jails = while they are running is not part of the game as it breaks chroot. You could manipulate files between jails with the jails up by using networking, = such as ftp. Obviously, one could program chroot to be able to "eat" this stuff, but = it will make the system cumbersome. Remember, Jails are supposed to = protect against an outside attacker, not against the sys admin. Aharon -----Original Message----- From: Johan Str=F6m [mailto:johan@stromnet.se]=20 Sent: Friday, December 28, 2007 7:16 AM To: freebsd-stable@freebsd.org Subject: I just broke out of a FreeBSD jail.. Known bug?? Hello list! I'm running a FreeBSD 6.2-p8 box with a few jails. The other day a =20 user of mine uploaded a number of files to one jail, then I (in the =20 actual system outside of all jails) moved that directory to another =20 jail.. When I later did some chdiring in the original jail, I found =20 my self standing in my other jails pwd and beeing able to read/=20 manipulate files!.. Example: jb-1 (the base machine, jailbox-1) shell (jail 1) core (jail 2) shell /home/johan# pwd /home/johan shell /home/johan# ls .cshrc .irssi .login_conf .mailrc .profile = .shrc .zcompdump public_html .histfile .login .mail_aliases .noident .rhosts = .ssh .zshrc shell /home/johan# mkdir test shell /home/johan# cd test shell /home/johan/test# touch asd shell /home/johan/test# ls -al total 4 drwxr-xr-x 2 root root 512 Dec 28 13:09 . drwxr-x--x 6 johan johan 512 Dec 28 13:09 .. -rw-r--r-- 1 root root 0 Dec 28 13:09 asd shell /home/johan/test# Then moving it on the root box jb-1 /usr/jails# mv shell/home/johan/test core/home/johan/ jb-1 /usr/jails# And back on shell jail: shell /home/johan/test# ls asd shell /home/johan/test# pwd pwd: .: No such file or directory shell /home/johan/test# cd .. shell /home/johan# ls .cshrc .lesshst .mailrc .shrc .vimrc = file.big roundcube.sql www.tar.gz .histfile .login .mysql_history .ssh .zcompdu = mp pics stuff .history .login_conf .profile .vim .zshrc = postfix-2.4.5 test .irssi .mail_aliases .rhosts .viminfo =20 cacert.pem public_html vmail.tar.gz shell /home/johan# Thats my home dir on core!.. That should very much not be visible =20 there! I have full access now (from the wrong jail!) Known bug or did I just stumble upon something pretty bad?? -- Johan Str=F6m Stromnet johan@stromnet.se http://www.stromnet.se/ No virus found in this outgoing message. Checked by AVG Free Edition.=20 Version: 7.5.516 / Virus Database: 269.17.11/1201 - Release Date: = 12/28/2007 11:51 AM =20