From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 19:29:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12D16106564A for ; Wed, 28 Dec 2011 19:29:55 +0000 (UTC) (envelope-from stephen@missouri.edu) Received: from wilberforce.math.missouri.edu (wilberforce.math.missouri.edu [128.206.184.213]) by mx1.freebsd.org (Postfix) with ESMTP id CB9928FC15 for ; Wed, 28 Dec 2011 19:29:54 +0000 (UTC) Received: from [127.0.0.1] (wilberforce.math.missouri.edu [128.206.184.213]) by wilberforce.math.missouri.edu (8.14.5/8.14.5) with ESMTP id pBSJB6E6068842; Wed, 28 Dec 2011 13:11:06 -0600 (CST) (envelope-from stephen@missouri.edu) Message-ID: <4EFB69CA.9080804@missouri.edu> Date: Wed, 28 Dec 2011 13:11:06 -0600 From: Stephen Montgomery-Smith User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Thunderbird/3.1.16 MIME-Version: 1.0 To: Marin Atanasov Nikolov References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 28 Dec 2011 21:08:59 +0000 Cc: freebsd-security@freebsd.org, ml-freebsd-stable Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 19:29:55 -0000 On 12/28/2011 02:58 AM, Marin Atanasov Nikolov wrote: > Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. > > Here's what I did: > > * Using ezjail for managing my jails > * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 > * This works only when I use sudo, and cannot reproduce if I execute > everything as root > > First, created a folder *inside* the jail and cd to it: > > host$ sudo ezjail-admin console jail-test > > jail-test# id > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) > > jail-test# mkdir ~/jail-folder > jail-test# cd ~/jail-folder > > jail-test# pwd > /root/jail-folder > > Then from the host machine I've moved this folder to the cwd. > > host$ pwd > /usr/home/mra > > host$ sudo mv /home/jails/jail-test/root/jail-folder . > > And then here's where the jail ends up :) > > jail-test# pwd > /usr/home/mra/jail-folder > >> From here on the Jail's root user has full root privileges to the > host's filesystem. > > Not sure if it is sudo or jail issue, and would be nice if someone > with more experience can check this up :) > > Regards, > Marin > This is rather fascinating. I agree with the poster that the jail didn't really escape, but was "sprung from the outside." But more than that, I imagine it would be very hard to stop this without either completely rethinking how unix filesystems work, or adding significant overhead to the OS so that it checks every single "mv" command against all existing jails. I think the warning in the man page http://svnweb.freebsd.org/base/head/usr.sbin/jail/jail.8?r1=221665&r2=224286 is a better way to go. Stephen