From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 18:58:07 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2870C106566B; Wed, 28 Dec 2011 18:58:07 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id E893D8FC14; Wed, 28 Dec 2011 18:58:06 +0000 (UTC) Received: from julian-mac.elischer.org (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id pBSIVhB4055560 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 28 Dec 2011 10:31:45 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <4EFB60B7.4040200@freebsd.org> Date: Wed, 28 Dec 2011 10:32:23 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.25) Gecko/20111213 Thunderbird/3.1.17 MIME-Version: 1.0 To: Marin Atanasov Nikolov References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, ml-freebsd-stable Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 18:58:07 -0000 On 12/28/11 12:58 AM, Marin Atanasov Nikolov wrote: > Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. > > Here's what I did: > > * Using ezjail for managing my jails > * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 > * This works only when I use sudo, and cannot reproduce if I execute > everything as root > > First, created a folder *inside* the jail and cd to it: > > host$ sudo ezjail-admin console jail-test > > jail-test# id > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) > > jail-test# mkdir ~/jail-folder > jail-test# cd ~/jail-folder > > jail-test# pwd > /root/jail-folder > > Then from the host machine I've moved this folder to the cwd. > > host$ pwd > /usr/home/mra > > host$ sudo mv /home/jails/jail-test/root/jail-folder . > > And then here's where the jail ends up :) > > jail-test# pwd > /usr/home/mra/jail-folder > > > From here on the Jail's root user has full root privileges to the > host's filesystem. > > Not sure if it is sudo or jail issue, and would be nice if someone > with more experience can check this up :) This is not really "escaping". It's more like "being sprung by your friends outside" since it requires outside participation. The jailed process cannot do it by itself. Now what would be more interesting is if the jailed process can make a new jail inside the old jail and then 'spring' the inmate there. will that inmate be still inside the parent jail, or outside both jails? > Regards, > Marin >