From owner-freebsd-security Fri May 12 8:47:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from modemcable127.61-201-24.mtl.mc.videotron.net (modemcable127.61-201-24.mtl.mc.videotron.net [24.201.61.127]) by hub.freebsd.org (Postfix) with SMTP id E3D1A37B54E for ; Fri, 12 May 2000 08:47:29 -0700 (PDT) (envelope-from patrick@mindstep.com) Received: (qmail 62705 invoked from network); 12 May 2000 15:47:29 -0000 Received: from patrak.local.mindstep.com (HELO PATRAK) (192.168.10.4) by jacuzzi.local.mindstep.com with SMTP; 12 May 2000 15:47:29 -0000 Message-ID: <0e8c01bfbc29$4432e390$040aa8c0@local.mindstep.com> From: "Patrick Bihan-Faou" To: "Cy Schubert - ITSD Open Systems Group" Cc: References: <4226.958118411@critter.freebsd.dk> <200005121319.e4CDJev40777@cwsys.cwsent.com> Subject: Re: envy.vuurwerk.nl daily run output Date: Fri, 12 May 2000 11:46:41 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > I was about to comment that anyone with root can break out of any > chrooted environment including jail, however testing the break out of > jail exploit (good thing I tested before I spoke), which BTW worked on > FreeBSD-3 and numerous other platforms including Linux, Solaris, and > Tru64-UNIX, appears to no longer work under 4.0 -- which is a good > thing! When did the FreeBSD chroot(2) get fixed? > > Once again FreeBSD leads the way. > > Following is the break-out-of-jail code. I just tested the exploit code on a 3.4 system and a 4.0 system and my results are: - if I run the program as root, then programs runs properly: starts SH in / - if I run the program as !root, then the program fails to chroot to back to / (I guess this is the expected behaviour). For info: The FreeBSD 3.x machine: FreeBSD jacuzzi.local.mindstep.com 3.4-STABLE FreeBSD 3.4-STABLE #8: Thu Apr 27 00:13:41 EDT 2000 patrick@jacuzzi.local.mindstep.com:/usr/src/sys/compile/JACUZZI i386 The FreeBSD 4.0 machine: FreeBSD nitro 4.0-STABLE FreeBSD 4.0-STABLE #3: Fri Apr 21 15:10:09 EDT 2000 patrick@nitro:/usr/src/sys/compile/NITRO i386 So my question is: is the exploit really fixed ? Or is it normal for root to be able to break loose from chroot ? Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message