From owner-freebsd-security@FreeBSD.ORG  Fri May  6 18:12:30 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 889A81065672
	for <freebsd-security@freebsd.org>;
	Fri,  6 May 2011 18:12:30 +0000 (UTC)
	(envelope-from utisoft@gmail.com)
Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com
	[209.85.214.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 1118E8FC13
	for <freebsd-security@freebsd.org>;
	Fri,  6 May 2011 18:12:29 +0000 (UTC)
Received: by bwz12 with SMTP id 12so3949526bwz.13
	for <freebsd-security@freebsd.org>;
	Fri, 06 May 2011 11:12:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:reply-to:in-reply-to:references
	:date:message-id:subject:from:to:cc:content-type;
	bh=KkAa3eJ3pLx1sNBBaK/z7u7RWfvQwa8tzxvBlJIMPRg=;
	b=o3swtrbSSfH9t5a5mm5P5IkImWvD79K7OIDiPEAcSS14QyiiAfx6a819G68gRJAdy6
	m6XW7wH9cy206D06mKdaLmN4o09KdgeVfw1VKtzvNkVkPP9d0hUNfEP28WeiBbdEj6GM
	m3hHdivuAj/WiFmdio39GsnsjuZDInI/ukf5s=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:reply-to:in-reply-to:references:date:message-id
	:subject:from:to:cc:content-type;
	b=ZOalJm6a3Sl201qvN6/GPExQH4AOC3ivMGX0tg16SSwvORyEW022qtJugap8FE7E+a
	JLTypCBjfFIwaLvbq7bSRVYPq123WXIX4TLIahN+iWIr2FtBTzELcQwkUQGvgluwFost
	8SfuHYee3CBIMBYS5yjeckuCwt7QLLd7+0o4M=
MIME-Version: 1.0
Received: by 10.204.231.198 with SMTP id jr6mr2057847bkb.205.1304705548743;
	Fri, 06 May 2011 11:12:28 -0700 (PDT)
Received: by 10.204.42.21 with HTTP; Fri, 6 May 2011 11:12:28 -0700 (PDT)
Received: by 10.204.42.21 with HTTP; Fri, 6 May 2011 11:12:28 -0700 (PDT)
In-Reply-To: <op.vu2g4b0k34t2sn@tech304>
References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com>
	<op.vu2g4b0k34t2sn@tech304>
Date: Fri, 6 May 2011 19:12:28 +0100
Message-ID: <BANLkTimdNPE45uSUphggeRfwfZYcUGQXcQ@mail.gmail.com>
From: Chris Rees <utisoft@gmail.com>
To: Mark Felder <feld@feld.me>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-security@freebsd.org
Subject: =?iso-8859-1?q?Re=3A_Rooting_FreeBSD_=2C_Privilege_Escalation_us?=
	=?iso-8859-1?q?ing_Jails_=28P=E9tur=29?=
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: utisoft@gmail.com
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2011 18:12:30 -0000

On 6 May 2011 17:18, "Mark Felder" <feld@feld.me> wrote:
>
> On Fri, 06 May 2011 10:13:50 -0500, Daniel Jacobsson <
daniel.jacobsson.90@gmail.com> wrote:
>
>> Can someone confirm if this bugg/exploit works?
>
>
> It's really not a bug or exploit... it's just the guy being crafty. It
only makes sense: the jails access the same filesystem as the host. Put a
file setuid in the jail and use your user on the host to execute that file
and voila, you're now running that executable as root.
>
> Your users should NEVER have access to the host of the jail.
>
>