From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 22:42:09 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF292106564A for ; Wed, 28 Dec 2011 22:42:09 +0000 (UTC) (envelope-from dnaeon@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id B8BB58FC13 for ; Wed, 28 Dec 2011 22:42:09 +0000 (UTC) Received: by obbwd18 with SMTP id wd18so13408237obb.13 for ; Wed, 28 Dec 2011 14:42:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=rn0gLmt3TMu0APZHETxnK15o5AW/zXgJolLAfyulvQY=; b=SzE/4IkYu65CJzyG2WSiFx/jcYrUpVeT/k5sgPTZSFmXdFcEFt6nt3PzFZw5pDBl1e HYZIIzF9ia5OwP96/Wpf7exJu51vf2UEchjfIBLvYBLbeu2K4D9ROKv0g8Bp0Spv4fH7 AbDMykwbF/Fd7AXSwtMEeB2kt85Yxw/ItWGWA= MIME-Version: 1.0 Received: by 10.182.117.97 with SMTP id kd1mr3682979obb.50.1325112129153; Wed, 28 Dec 2011 14:42:09 -0800 (PST) Received: by 10.182.116.41 with HTTP; Wed, 28 Dec 2011 14:42:09 -0800 (PST) In-Reply-To: References: Date: Thu, 29 Dec 2011 00:42:09 +0200 Message-ID: From: Marin Atanasov Nikolov To: Benjamin Kaduk Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 22:42:10 -0000 On Wed, Dec 28, 2011 at 10:39 PM, Benjamin Kaduk wrote: > [minus -stable] > > > On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote: > >> Hello, >> >> Today I've managed to escape from a jail by accident and ended up with >> root access to the host's filesystem. >> >> Here's what I did: >> >> * Using ezjail for managing my jails >> * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 >> * This works only when I use sudo, and cannot reproduce if I execute >> everything as root > > > I cannot see how the use of sudo would be relevant -- the fundametal issu= e > merely requires the vnode of the directory in question to be moved (not > copied) past the jail's root vnode. =A0Could you give a bit more detail a= bout > how you came to believe that sudo is necessary? > Hi everyone, Thanks for the feedback. @Ben: I was able only to reproduce this using sudo(8) when doing "mv ." (See first mail for exact steps) Important notes: * The directory to mv is "." (cwd) - mv'ing to anything else than "." does not harm * Doing the "mv ." as root user (without sudo(8) !) does not result in jail getting access to the host's fs That is why I've mentioned that I'm not sure whether this is sudo(8) related or ezjail, or just jail.. I can only reproduce it using sudo for moving the folder... Hope that clears a bit things :) Regards, Marin > -Ben Kaduk --=20 Marin Atanasov Nikolov dnaeon AT gmail DOT com daemon AT unix-heaven DOT org http://www.unix-heaven.org/