From owner-freebsd-jail@FreeBSD.ORG Fri Apr 16 09:20:36 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87C551065677; Fri, 16 Apr 2010 09:20:36 +0000 (UTC) (envelope-from erich@fuujingroup.com) Received: from fluorine.fuujinnetworks.com (fluorine.fuujinnetworks.com [64.90.67.234]) by mx1.freebsd.org (Postfix) with ESMTP id 5C41D8FC1E; Fri, 16 Apr 2010 09:20:36 +0000 (UTC) Received: from [10.168.1.8] (copper.fuujinnetworks.com [64.90.67.254]) by fluorine.fuujinnetworks.com (Postfix) with ESMTPA id 2C492439E3B; Fri, 16 Apr 2010 04:21:02 -0500 (CDT) Message-ID: <4BC839EA.30307@fuujingroup.com> Date: Fri, 16 Apr 2010 04:20:26 -0600 From: "Erich Jenkins, Fuujin Group Ltd" User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: glarkin@FreeBSD.org References: <4BC2C578.9080108@fuujingroup.com> <4BC2E662.1050007@fuujingroup.com> <4BC31B31.6060201@FreeBSD.org> <4BC3A948.7010601@fuujingroup.com> <4BC4C91D.7020107@fuujingroup.com> <4BC7C33B.9000107@FreeBSD.org> In-Reply-To: <4BC7C33B.9000107@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org, smithi@nimnet.asn.au Subject: Re: jail file and directory permissions X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 09:20:36 -0000 Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Erich Jenkins, Fuujin Group Ltd wrote: >> Erich Jenkins, Fuujin Group Ltd wrote: >>> Greg Larkin wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Erich Jenkins, Fuujin Group Ltd wrote: >>>>> Kalle Møller wrote: >>>>> >>>>>> Could you please make a command list on what your doing and with >>>>>> output.. like this ... >>>>>> >>>>>> -- >> > > Hi Erich, > > I'm glad to hear that you got everything sorted out! If it's possible > to set up the previous environment in a virtual machine or some spare > hardware and grant me an ssh login, I would be interested in doing more > tests to see if I can figure out what's going on. > > Whether there's a bug in the jail subsystem or a hole in the > provisioning process that allows the privilege escalation, it would > certainly be good to find the root cause. > > Thank you, > Greg > - -- > Greg Larkin > > http://www.FreeBSD.org/ - The Power To Serve > http://www.sourcehosting.net/ - Ready. Set. Code. > http://twitter.com/sourcehosting/ - Follow me, follow you > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iD8DBQFLx8M70sRouByUApARAnpwAJ0f2+XC2hwTSrkO/v8DUPXpchdHygCeMWc0 > M4E6SOz8kPRJYdwTXOkF2lY= > =z7l7 > -----END PGP SIGNATURE----- > Greg: I'd be happy to get this set up in the lab for you to look at, but at the moment, all of our lab machines are in use (I rolled this box over to a community project after buildworld "cleaned" it up). I try to provide hardware resources to FreeBSD committers and developers hunting down problems, and at the moment, I'm at the limit, there's no hardware left. As soon as something becomes available, I'll drop you a line and get this onto a test server. Generally, I create a VRF for each test environment with outside access via ssh and an internet connection for fetching whatever may be necessary (most often 10mbps). OpenVPN access is also available depending on what the committer/developer wants. Thank you again for your interest in this anomaly (for lack of a better description). I'll get something up for you as soon as a box becomes available. Any preference on platform (considering this did not seem to be platform dependent)? I can do sparc64, amd64/x86-64, itanium2, and i386/x86-32. The environment I'm experiencing the problem in is x86-32, and I think someone is almost done with a DL580-G3, so I can roll that out when it becomes available. Erich M. Jenkins Fuujin Group Limited "You should never, never doubt what no one is sure about." -- Gene Wilder