From owner-freebsd-hackers@FreeBSD.ORG  Sun Dec 31 15:07:09 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id F176E16A403;
	Sun, 31 Dec 2006 15:07:09 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 9D79613C45B;
	Sun, 31 Dec 2006 15:07:09 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 923BC487E7;
	Sun, 31 Dec 2006 10:07:05 -0500 (EST)
Date: Sun, 31 Dec 2006 15:07:05 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Colin Percival <cperciva@freebsd.org>
In-Reply-To: <459743C3.90801@freebsd.org>
Message-ID: <20061231150623.M7974@fledge.watson.org>
References: <20061229120030.3DCE316A530@hub.freebsd.org>
	<45950CFD.5020506@freebsd.org>
	<20061229090146.d2bc2b1c.wmoran@collaborativefusion.com>
	<459743C3.90801@freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-hackers@freebsd.org, Bill Moran <wmoran@collaborativefusion.com>
Subject: Re: Modified version of jexec allows non-root access into jails
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Dec 2006 15:07:10 -0000


On Sat, 30 Dec 2006, Colin Percival wrote:

> Bill Moran wrote:
>> You also describe a scenerio where a user can create a jail of his own 
>> design and give himself root inside it, thus allowing him to use the setuid 
>> trick to get root on the host as well.  The place this falls down is that 
>> the user would need to already have root to create the jail in the first 
>> place.
>
> Not necessarily.  An unprivileged user can create hard links to binaries he 
> doesn't own, including suid binaries.

BTW, I understand that Solaris has now changed the default to be that users 
cannot hard link files they don't own.  We have a sysctl option for that -- if 
this is now a widespread default, I wonder if we should be considering 
switching the default?

Robert N M Watson
Computer Laboratory
University of Cambridge