From owner-freebsd-stable@FreeBSD.ORG Fri Dec 28 12:33:06 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F007616A417 for ; Fri, 28 Dec 2007 12:33:06 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from core.stromnet.se (core.stromnet.se [83.218.84.131]) by mx1.freebsd.org (Postfix) with ESMTP id 9F3C213C455 for ; Fri, 28 Dec 2007 12:33:06 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from localhost (unknown [83.218.84.135]) by core.stromnet.se (Postfix) with ESMTP id CBA53D46F37 for ; Fri, 28 Dec 2007 13:16:22 +0100 (CET) X-Virus-Scanned: amavisd-new at stromnet.se Received: from core.stromnet.se ([83.218.84.131]) by localhost (core.stromnet.se [83.218.84.135]) (amavisd-new, port 10024) with ESMTP id rcHj2i-cMEuY for ; Fri, 28 Dec 2007 13:16:20 +0100 (CET) Received: from [172.28.1.102] (90-224-172-102-no129.tbcn.telia.com [90.224.172.102]) by core.stromnet.se (Postfix) with ESMTP id 578D4D46405 for ; Fri, 28 Dec 2007 13:16:20 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v753) Content-Transfer-Encoding: quoted-printable Message-Id: <91064C44-1A41-4FCB-A718-1EF3A63E2273@stromnet.se> Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed To: freebsd-stable@freebsd.org From: =?ISO-8859-1?Q?Johan_Str=F6m?= Date: Fri, 28 Dec 2007 13:15:38 +0100 X-Mailer: Apple Mail (2.753) Subject: I just broke out of a FreeBSD jail.. Known bug?? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2007 12:33:07 -0000 Hello list! I'm running a FreeBSD 6.2-p8 box with a few jails. The other day a =20 user of mine uploaded a number of files to one jail, then I (in the =20 actual system outside of all jails) moved that directory to another =20 jail.. When I later did some chdiring in the original jail, I found =20 my self standing in my other jails pwd and beeing able to read/=20 manipulate files!.. Example: jb-1 (the base machine, jailbox-1) shell (jail 1) core (jail 2) shell /home/johan# pwd /home/johan shell /home/johan# ls .cshrc .irssi .login_conf .mailrc .profile=20= .shrc .zcompdump public_html .histfile .login .mail_aliases .noident .rhosts =20= .ssh .zshrc shell /home/johan# mkdir test shell /home/johan# cd test shell /home/johan/test# touch asd shell /home/johan/test# ls -al total 4 drwxr-xr-x 2 root root 512 Dec 28 13:09 . drwxr-x--x 6 johan johan 512 Dec 28 13:09 .. -rw-r--r-- 1 root root 0 Dec 28 13:09 asd shell /home/johan/test# Then moving it on the root box jb-1 /usr/jails# mv shell/home/johan/test core/home/johan/ jb-1 /usr/jails# And back on shell jail: shell /home/johan/test# ls asd shell /home/johan/test# pwd pwd: .: No such file or directory shell /home/johan/test# cd .. shell /home/johan# ls .cshrc .lesshst .mailrc .shrc .vimrc =20= file.big roundcube.sql www.tar.gz .histfile .login .mysql_history .ssh .zcompdu=20= mp pics stuff .history .login_conf .profile .vim .zshrc =20= postfix-2.4.5 test .irssi .mail_aliases .rhosts .viminfo =20 cacert.pem public_html vmail.tar.gz shell /home/johan# Thats my home dir on core!.. That should very much not be visible =20 there! I have full access now (from the wrong jail!) Known bug or did I just stumble upon something pretty bad?? -- Johan Str=F6m Stromnet johan@stromnet.se http://www.stromnet.se/