From owner-freebsd-security@FreeBSD.ORG  Fri May  6 20:56:05 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E65EE1065673
	for <freebsd-security@freebsd.org>;
	Fri,  6 May 2011 20:56:05 +0000 (UTC)
	(envelope-from utisoft@gmail.com)
Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com
	[209.85.214.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 709B58FC13
	for <freebsd-security@freebsd.org>;
	Fri,  6 May 2011 20:56:04 +0000 (UTC)
Received: by bwz12 with SMTP id 12so4091895bwz.13
	for <freebsd-security@freebsd.org>;
	Fri, 06 May 2011 13:56:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:reply-to:in-reply-to:references
	:from:date:message-id:subject:to:cc:content-type;
	bh=yS5xKX0PkmNRepj/JzexPTJGFdly0iI42QQUubyr5q0=;
	b=S20c464UvdvjoJnZ/Va2dB4jkIhMh5HxMhPrIxlYVppIpvptBIlTNmf8rRjZLWT/dG
	A31Bo4VukvR6MFsrzkVI3W3aYjYk26BlMTKZmyd0uhxrailSUDMnS4DdV6KxhQV+xCeL
	EqPzs7QCJTVnsFEAfJe6riy47MaPX3DKBaB1w=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:reply-to:in-reply-to:references:from:date:message-id
	:subject:to:cc:content-type;
	b=oOdBE6HPP9ZeqjhVu79kCs+6AwsDkVt1fU/pwL8Yd0chV9Hs1yzzH0u+6I4vc3eoy/
	Ol60yFgiaoEdgx9+f/8p29jkLFI+9we0kt/byS0s0FLB+x5J8t+Rqj0WiNY62h36AJqH
	toruWuwl1DUcm8MhfzyFxXawL/UwlGi0Fjxds=
Received: by 10.204.41.16 with SMTP id m16mr676663bke.151.1304715363184; Fri,
	06 May 2011 13:56:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.204.42.21 with HTTP; Fri, 6 May 2011 13:55:33 -0700 (PDT)
In-Reply-To: <op.vu2g4b0k34t2sn@tech304>
References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com>
	<op.vu2g4b0k34t2sn@tech304>
From: Chris Rees <utisoft@gmail.com>
Date: Fri, 6 May 2011 21:55:33 +0100
Message-ID: <BANLkTikJgPt4SM_B_7drpgFvO8RkvXaOtw@mail.gmail.com>
To: Mark Felder <feld@feld.me>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-security@freebsd.org
Subject: =?iso-8859-1?q?Re=3A_Rooting_FreeBSD_=2C_Privilege_Escalation_us?=
	=?iso-8859-1?q?ing_Jails_=28P=E9tur=29?=
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: utisoft@gmail.com
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2011 20:56:06 -0000

On 6 May 2011 16:54, Mark Felder <feld@feld.me> wrote:
> On Fri, 06 May 2011 10:13:50 -0500, Daniel Jacobsson
> <daniel.jacobsson.90@gmail.com> wrote:
>
>> Can someone confirm if this bugg/exploit works?
>
> It's really not a bug or exploit... it's just the guy being crafty. It only
> makes sense: the jails access the same filesystem as the host. Put a file
> setuid in the jail and use your user on the host to execute that file and
> voila, you're now running that executable as root.
>
> Your users should NEVER have access to the host of the jail.


All the same, I've sent a PR [1] with some doc patches to make people
more aware of this -- fulfilling my promise of 2+ years ago :S

Thanks!

Chris

[1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853