From owner-freebsd-security  Sun Jan 30 16: 5:59 2000
Delivered-To: freebsd-security@freebsd.org
Received: from xkis.kis.ru (xkis.kis.ru [195.98.32.200])
	by hub.freebsd.org (Postfix) with ESMTP id 8E4B014FDC
	for <security@freebsd.org>; Sun, 30 Jan 2000 16:05:52 -0800 (PST)
	(envelope-from dv@dv.ru)
Received: from localhost (dv@localhost)
          by xkis.kis.ru (8.9.3/8.9.3) with SMTP id DAA15783
          for <security@freebsd.org>; Mon, 31 Jan 2000 03:05:46 +0300 (MSK)
Date: Mon, 31 Jan 2000 03:05:46 +0300 (MSK)
From: Dmitry Valdov <dv@dv.ru>
X-Sender: dv@xkis.kis.ru
To: security@freebsd.org
Subject: jail..
Message-ID: <Pine.BSF.3.95q.1000131025803.12484A-100000@xkis.kis.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello!

It is possible to take root on entire machine if someone has an account on
it an root under jail.
for example, we're running jail with chroot to /usr/jail. Someone have root
in chroot'ed environment.
So, he can create setuid shell in /usr/jail.
But if he have normail account on machine, he can run it from /usr/jail and
take root on entire machine. 
chmod /usr/jail doesn't help because chrooted / cannot be read by anyone :( 

I think that the right solution is to make directory for chroot under 700's
directory. Should it be documented in jail man page?

Dmitry.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message