From owner-freebsd-security@FreeBSD.ORG  Sat May  7 22:31:50 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 684A0106566C
	for <freebsd-security@freebsd.org>;
	Sat,  7 May 2011 22:31:50 +0000 (UTC)
	(envelope-from jamie@bishopston.net)
Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net
	[IPv6:2001:5c0:1100:200::3])
	by mx1.freebsd.org (Postfix) with ESMTP id 1E4EA8FC0C
	for <freebsd-security@freebsd.org>;
	Sat,  7 May 2011 22:31:50 +0000 (UTC)
X-Catflap-Envelope-From: <jamie@catflap.bishopston.net>
X-Catflap-Envelope-To: freebsd-security@freebsd.org
Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1])
	by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p47MVl8P035492; 
	Sat, 7 May 2011 23:31:47 +0100 (BST)
	(envelope-from jamie@catflap.bishopston.net)
Received: (from jamie@localhost)
	by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p47MVktY035491;
	Sat, 7 May 2011 23:31:46 +0100 (BST)
From: Jamie Landeg Jones <jamie@bishopston.net>
Message-Id: <201105072231.p47MVktY035491@catflap.bishopston.net>
Date: Sat, 07 May 2011 23:31:46 +0100
Organization: http://www.bishopston.com/jamie/
To: utisoft@gmail.com, feld@feld.me
References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com>
	<op.vu2g4b0k34t2sn@tech304>
	<BANLkTikJgPt4SM_B_7drpgFvO8RkvXaOtw@mail.gmail.com>
In-Reply-To: <BANLkTikJgPt4SM_B_7drpgFvO8RkvXaOtw@mail.gmail.com>
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org
Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails
 =?iso-8859-1?q?=28P=EF=BF=BDtur=29?=
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 May 2011 22:31:50 -0000

> All the same, I've sent a PR [1] with some doc patches to make people
> more aware of this -- fulfilling my promise of 2+ years ago :S
>
> Thanks!
>
> Chris
>
> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853

Um. Some problems here.

A jail won't work for not-root users if the jail root directory is chmod 700 - although
there is obviously a 'chroot' running withing the jail, the jailed user still needs
to have read permission from the hosts / -- chmod 700 therefore locks all non-root
users out.

I would suggest you add to the docs about the UID clash problem - untrusted users on the host
shouldn't have the same UID/GID as jailed users, as they will have access to their files.

And of course, the bit mentioned earlier where an untrusted jail user with jail-root access
should NEVER have access to the host!o

Among other things, my password file in both jails and the host has this line:

# 8000 to 9999  -  Reserved for use within jails - do not use in main host!

cheers,
Jamie