Date: Sun, 8 May 2011 13:39:31 -0400 From: Jason Hellenthal <jhell@DataIX.net> To: Chris Rees <utisoft@gmail.com> Cc: Jamie Landeg Jones <jamie@bishopston.net>, freebsd-security@freebsd.org, feld@feld.me, Edho P Arief <edhoprima@gmail.com> Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) Message-ID: <20110508173931.GA2757@DataIX.net> In-Reply-To: <BANLkTi=8by=rtbNUDtA8CRSMJsmgPOR2XA@mail.gmail.com> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <op.vu2g4b0k34t2sn@tech304> <BANLkTikJgPt4SM_B_7drpgFvO8RkvXaOtw@mail.gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <BANLkTikgnqXB4pdvCd9j9n7pFvg=n5FrdQ@mail.gmail.com> <20110508075203.GA61754@DataIX.net> <BANLkTi=8by=rtbNUDtA8CRSMJsmgPOR2XA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Chris, On Sun, May 08, 2011 at 09:58:05AM +0100, Chris Rees wrote: > On 8 May 2011 08:52, Jason Hellenthal <jhell@dataix.net> wrote: > > > > Edho, > > > > On Sun, May 08, 2011 at 09:15:28AM +0700, Edho P Arief wrote: > >> On Sun, May 8, 2011 at 5:31 AM, Jamie Landeg Jones <jamie@bishopston.n= et> wrote: > >> >> All the same, I've sent a PR [1] with some doc patches to make peop= le > >> >> more aware of this -- fulfilling my promise of 2+ years ago :S > >> >> > >> >> Thanks! > >> >> > >> >> Chris > >> >> > >> >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=3D156853 > >> > > >> > Um. Some problems here. > >> > > >> > A jail won't work for not-root users if the jail root directory is c= hmod 700 - although > >> > there is obviously a 'chroot' running withing the jail, the jailed u= ser still needs > >> > to have read permission from the hosts / -- chmod 700 therefore lock= s all non-root > >> > users out. > >> > > >> > >> It's weird - I don't remember having such problem after setting jails' > >> root directory permission to 700. I don't have the system anymore so I > >> can't verify it just yet. > > > > It should also be noted here that the jailed root user also has permiss= ion > > to chmod(1) '/' to anything he or she wants unless you have taken > > precaution to not allow that. I would reccoment storing your jails two > > levels deep into a directory and chmod(1) 700 the first level to prevent > > access from the host and from the jailed root user changing the perms. > > >=20 > Oops, you're absolutely right. >=20 > I've updated the docs patches (links at [1]), though unfortunately it > means it's a little less elegant; I'm reluctant to suggest >=20 > # chmod 0700 $D/.. >=20 Haha I would strongly suggest against that ;) Not knowing where people are= =20 keeping the jails would impose quite a bit of harm if they did have them=20 in places like that or /var/jailname. Unfortunately in this case we can=20 only update the docs and hope that the user will keep up-to-date with=20 reading them. Only other possibility I see is ensuring that noone inside the jail can=20 chmod or do anyting on / but this may actually be quite tough. > in case someone sets $D to /usr/local/myjail or similar... >=20 > Chris >=20 > [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=3Ddocs/156853 --=20 Regards, (jhell) Jason Hellenthal --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNxtVSAAoJEJBXh4mJ2FR+sB4H/3PoFa0YLpO+TWZUvvtq6lpB EEuwDlGgdgy9kr49LzHX8rAM/cMpOcVF2J2+oODHJDLFLHX+osyVSgkyWUp98BkP znPsN16dEOEChjQPL6oNY2JkOZMFLUZnTq1oAq0/pplc4xXQyE4oyidqVm6Qhp16 2G3gk+8aDOHYOFQxzt81Lusi5VEOxobkWI1CqB/Xakw+z43UaOD/wkY7T4tlJjKf CNKQToRzjAUxyPNVa1kYCGdzPQTowvvgvKTCWL6naO/9QkBAYEIexru2YdP1JdZS 1MNo/ZzPUGjQJrnfBfThYvUI5G1uOYRPCBgw46+RG4bSvSpA+Bf6SwOKlTGzxkY= =OWgi -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110508173931.GA2757>