From owner-freebsd-security@FreeBSD.ORG  Mon May  9 14:49:55 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D43E3106564A
	for <freebsd-security@freebsd.org>;
	Mon,  9 May 2011 14:49:55 +0000 (UTC)
	(envelope-from jhellenthal@gmail.com)
Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com
	[209.85.210.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 834EB8FC0C
	for <freebsd-security@freebsd.org>;
	Mon,  9 May 2011 14:49:55 +0000 (UTC)
Received: by iyj12 with SMTP id 12so6249508iyj.13
	for <freebsd-security@freebsd.org>;
	Mon, 09 May 2011 07:49:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:sender:date:from:to:cc:subject:message-id
	:references:mime-version:content-type:content-disposition
	:in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint
	:x-openpgp-key-url;
	bh=JV1gyWmaoDJTC7Tu0+Dqm8hlB9DJJF0+cdax9xfb5QQ=;
	b=MmKPq2PG8i8OGpeaaiSEjb9mIdjpaUijmBSO7okDzVGPWOQ82pVO0UT6HPT9GCfdcw
	siGD1vvr7irpr4ToCPgNBAIu50iFI7l6f8tBi9Ru0WkKBq2ZtW68jlhwBmQNS1a/U78Q
	CRnn7dxrSHHNoWyjSLdb2HvGcir6waQj7dXmM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=sender:date:from:to:cc:subject:message-id:references:mime-version
	:content-type:content-disposition:in-reply-to:x-openpgp-key-id
	:x-openpgp-key-fingerprint:x-openpgp-key-url;
	b=vVf58iGvT47YYPu388CfQ1uXjiE4KcPaUpJEGvkIxkaBk2AHVu+VsAmTeGHs+U24M6
	uI5SIYTnTyhuBe20wx7aVdJov30yfDjd6674+8y60xkRv/vGi4ud7Qrpt9Woiulwt/2i
	3iutrniI/CLaKhq0HPJv06NDTONW2I6D5svIQ=
Received: by 10.42.145.130 with SMTP id f2mr6615045icv.325.1304952594389;
	Mon, 09 May 2011 07:49:54 -0700 (PDT)
Received: from DataIX.net (adsl-99-190-84-116.dsl.klmzmi.sbcglobal.net
	[99.190.84.116])
	by mx.google.com with ESMTPS id xe15sm2451151icb.8.2011.05.09.07.49.52
	(version=TLSv1/SSLv3 cipher=OTHER);
	Mon, 09 May 2011 07:49:53 -0700 (PDT)
Sender: "J. Hellenthal" <jhellenthal@gmail.com>
Received: from DataIX.net (localhost [127.0.0.1])
	by DataIX.net (8.14.4/8.14.4) with ESMTP id p49EnnTZ078825
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 9 May 2011 10:49:50 -0400 (EDT) (envelope-from jhell@DataIX.net)
Received: (from jhell@localhost)
	by DataIX.net (8.14.4/8.14.4/Submit) id p49EnmYZ078824;
	Mon, 9 May 2011 10:49:48 -0400 (EDT) (envelope-from jhell@DataIX.net)
Date: Mon, 9 May 2011 10:49:47 -0400
From: Jason Hellenthal <jhell@DataIX.net>
To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no>
Message-ID: <20110509144947.GB77054@DataIX.net>
References: <op.vu2g4b0k34t2sn@tech304>
	<BANLkTikJgPt4SM_B_7drpgFvO8RkvXaOtw@mail.gmail.com>
	<201105072231.p47MVktY035491@catflap.bishopston.net>
	<BANLkTikgnqXB4pdvCd9j9n7pFvg=n5FrdQ@mail.gmail.com>
	<20110508075203.GA61754@DataIX.net>
	<BANLkTi=8by=rtbNUDtA8CRSMJsmgPOR2XA@mail.gmail.com>
	<20110508173931.GA2757@DataIX.net> <86fwoof8lj.fsf@ds4.des.no>
	<BANLkTi=-0=L0MmezOCa=tiv6DrwHYZ83AQ@mail.gmail.com>
	<86zkmwdpdl.fsf@ds4.des.no>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz"
Content-Disposition: inline
In-Reply-To: <86zkmwdpdl.fsf@ds4.des.no>
X-OpenPGP-Key-Id: 0x89D8547E
X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE  B12A 9057 8789 89D8 547E
X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E
Cc: Jamie Landeg Jones <jamie@bishopston.net>, freebsd-security@freebsd.org,
	feld@feld.me, Edho P Arief <edhoprima@gmail.com>, utisoft@gmail.com
Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2011 14:49:56 -0000


--0eh6TmSyL6TZE2Uz
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


Dag-Erling,

On Mon, May 09, 2011 at 02:34:14PM +0200, Dag-Erling Sm=F8rgrav wrote:
> Chris Rees <utisoft@gmail.com> writes:
> > This is the point I'm making, I can't recommend in the docs that one
> > chmods $D/.. because we (the docs writers) don't know what the user
> > (the reader) is going to set $D to.
>=20
> Ah, OK.  But you could provide an example where $D is /var/jail, or
> something along those lines.
>=20

Do you know if there is a way that chmod on / from within the jail could=20
be prevented easily without breaking something ? Maybe not failing but=20
falling though and return 0 for any operation with the sole argument of /.

--=20

 Regards, (jhell)
 Jason Hellenthal


--0eh6TmSyL6TZE2Uz
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)
Comment: http://bit.ly/0x89D8547E

iQEcBAEBAgAGBQJNx/8LAAoJEJBXh4mJ2FR+IicH+wYSZ/QFJRz0zlN3VcTUWwwC
zerzHVtr2gwKFTtYiStSKJ2fH/N3vuDMNmU8AF9nvPLm1dwUo1DuWlo0B290FIQ7
5IGKDXSbXy7AGgWTFG2Mockp4X4fQ05nZRxXSMvIlk+HhD1BSA1s2KKWiV0FR/et
rnsAMqTEcAt4cbZ4oh8MQsOdu6idhZJ0z3dXXKhfBW0H7Sf1CXiKztH3UrCvidpe
oQHD8i03q5G7BmKVUMJsk7mjUJasm6aLFV/n1UckqAaE/XfHoGj7x4pW8wsQ1ORv
cauwJ22uGOiB2CCF95w5ndAUj2dmbpuis+dxkVyYzxZD/tJ0mAt/cKs6oai77BY=
=32va
-----END PGP SIGNATURE-----

--0eh6TmSyL6TZE2Uz--