From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 20:54:49 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2980B106566B for ; Wed, 28 Dec 2011 20:54:49 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU [18.7.68.35]) by mx1.freebsd.org (Postfix) with ESMTP id BDCA48FC0C for ; Wed, 28 Dec 2011 20:54:48 +0000 (UTC) X-AuditID: 12074423-b7f9c6d0000008c3-9e-4efb7e9231d7 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id E8.83.02243.29E7BFE4; Wed, 28 Dec 2011 15:39:46 -0500 (EST) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id pBSKdkAX002893; Wed, 28 Dec 2011 15:39:46 -0500 Received: from multics.mit.edu (MULTICS.MIT.EDU [18.187.1.73]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id pBSKdiZb013671 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 28 Dec 2011 15:39:46 -0500 (EST) Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id pBSKdiGp009542; Wed, 28 Dec 2011 15:39:44 -0500 (EST) Date: Wed, 28 Dec 2011 15:39:43 -0500 (EST) From: Benjamin Kaduk To: Marin Atanasov Nikolov In-Reply-To: Message-ID: References: User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixG6nojup7refwaWjshYPJu1nt+jZ9ITN gcljxqf5LB47Z91lD2CK4rJJSc3JLEst0rdL4Mp4MusCW8EB1orj6xayNjDOZ+li5OCQEDCR +L9QoIuRE8gUk7hwbz1bFyMXh5DAPkaJ9le3GSGcDYwSJzecYIFwDjBJfD3byA7hNDBK3D1+ E2wUi4C2xONJEiCj2ARUJGa+2cgGYosI6Eq823mSCcRmFlCQeP8YwhYWcJKYfOI9mM0pEChx dM98RhCbV8BeYuq/X6wgtpBAgMSy53fBbFEBHYnV+6ewQNQISpyc+YQFYqalxLk/19kmMArO QpKahSS1gJFpFaNsSm6Vbm5iZk5xarJucXJiXl5qka6ZXm5miV5qSukmRnCguijvYPxzUOkQ owAHoxIPr6fhbz8h1sSy4srcQ4ySHExKorz3yoFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHgX VALleFMSK6tSi/JhUtIcLErivBpa7/yEBNITS1KzU1MLUotgsjIcHEoSvBdqgRoFi1LTUyvS MnNKENJMHJwgw3mAht8DqeEtLkjMLc5Mh8ifYlSUEuf9CpIQAElklObB9cISyStGcaBXhHmf gFTxAJMQXPcroMFMQIPPnfsFMrgkESEl1cCoWGwh/6hiW7HkBaH/JhOMt3asfyXw7sXLC8F6 2j2LC19YeMgdezR9yoMjXXN0xMy6eiWLpNgM5k7qcakTsq/yf+2c80mHJ/7gA3/PNLMNd2Ml Zvkse1N8ZdHZ3x5aE25vvGuSo/LWvswnbNPT+G9zNjO97i1VnOes6ffo7/nJ++P6zNufCMxU YinOSDTUYi4qTgQA4w6giP8CAAA= Cc: freebsd-security@freebsd.org Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 20:54:49 -0000 [minus -stable] On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote: > Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. > > Here's what I did: > > * Using ezjail for managing my jails > * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 > * This works only when I use sudo, and cannot reproduce if I execute > everything as root I cannot see how the use of sudo would be relevant -- the fundametal issue merely requires the vnode of the directory in question to be moved (not copied) past the jail's root vnode. Could you give a bit more detail about how you came to believe that sudo is necessary? -Ben Kaduk