From owner-freebsd-jail@FreeBSD.ORG Fri Apr 16 01:54:16 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E9411065677; Fri, 16 Apr 2010 01:54:16 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id 130B78FC12; Fri, 16 Apr 2010 01:54:15 +0000 (UTC) Received: from 68-189-245-235.dhcp.oxfr.ma.charter.com ([68.189.245.235] helo=cube.entropy.prv) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1O2al0-000KSj-7r; Thu, 15 Apr 2010 21:54:14 -0400 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by cube.entropy.prv (Postfix) with ESMTP id 9D4BB3E75745; Thu, 15 Apr 2010 21:54:10 -0400 (EDT) Message-ID: <4BC7C33B.9000107@FreeBSD.org> Date: Thu, 15 Apr 2010 21:54:03 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "Erich Jenkins, Fuujin Group Ltd" References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> <4BC31B31.6060201@FreeBSD.org> <4BC3A948.7010601@fuujingroup.com> <4BC4C91D.7020107@fuujingroup.com> In-Reply-To: <4BC4C91D.7020107@fuujingroup.com> X-Enigmail-Version: 0.96.0 OpenPGP: id=1C940290 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.3 (/) Cc: "Kalle "@FreeBSD.ORG, freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org, smithi@nimnet.asn.au Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 01:54:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erich Jenkins, Fuujin Group Ltd wrote: > Erich Jenkins, Fuujin Group Ltd wrote: >> Greg Larkin wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Erich Jenkins, Fuujin Group Ltd wrote: >>>> Kalle M=C3=B8ller wrote: >>>> >>>>> Could you please make a command list on what your doing and with >>>>> output.. like this ... >>>>> >>>>> --=20 >=20 > >=20 >> Since this was a buildworld copied via NFS from a build environment, >> it appears that something has gone terribly wrong during the build. >> I'm going to wipe this machine and do a completely fresh install of >> 7.0-REL, buildworld, and set up a jail to see if something did indeed >> break, or if this is an actual bug. >> >> Thank you very much to everyone who's responded to this issue. Your >> input has been instrumental in helping troubleshoot this. I'll post as >> soon as the build completes and I have a chance to test this tonight. >> >> Erich M. Jenkins >> Fuujin Group Limited >> >> "You should never, never doubt what no one is sure about." >> -- Gene Wilder >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >=20 > All: >=20 > After a fresh buildworld on this box, I am no longer seeing this user > permissions issue, which leads me to believe something is very very > wrong with the way it was built on the build server for the cluster. If > anyone would like, I'll tar up the build environment and put it > somewhere it can be accessed, assuming someone has the time/inclination > to sift through it and see what happened. I spent a few hours this > morning going through it and can't find anything out of the ordinary, > but most of the inner working of jails is a "black box" to me. >=20 > Thank you for all the feedback. I'm setting up the new build environmen= t > for the cluster to fix this issue for deployed systems. >=20 > Erich M. Jenkins > Fuujin Group Limited >=20 > "You should never, never doubt what no one is sure about." > -- Gene Wilder Hi Erich, I'm glad to hear that you got everything sorted out! If it's possible to set up the previous environment in a virtual machine or some spare hardware and grant me an ssh login, I would be interested in doing more tests to see if I can figure out what's going on. Whether there's a bug in the jail subsystem or a hole in the provisioning process that allows the privilege escalation, it would certainly be good to find the root cause. Thank you, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/sourcehosting/ - Follow me, follow you -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFLx8M70sRouByUApARAnpwAJ0f2+XC2hwTSrkO/v8DUPXpchdHygCeMWc0 M4E6SOz8kPRJYdwTXOkF2lY=3D =3Dz7l7 -----END PGP SIGNATURE-----