Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Dec 2014 17:22:39 +0100
From:      "no@spam@mgedv.net" <nospam@mgedv.net>
To:        <freebsd-questions@freebsd.org>
Subject:   RE: freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped completely
Message-ID:  <000001d01495$8b36ee60$a1a4cb20$@mgedv.net>
In-Reply-To: <042a01d011bd$e4cb1530$ae613f90$@mgedv.net>
References:  <042a01d011bd$e4cb1530$ae613f90$@mgedv.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

really, no one running jails on 10.1 with chmod o-rwx of the jail-home? ;-)

cheers

> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-
> questions@freebsd.org] On Behalf Of no@spam@mgEDV.net
> Sent: Sunday, December 07, 2014 2:34 AM
> To: freebsd-questions@freebsd.org
> Subject: freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped
> completely
> 
> hi guys,
> 
> as the "real" application faces the same problems, i created a test
> jail on a clean box just to check the behaviour using "/usr/bin/id".
> 
> problem description (hopefully i nailed it):
> if a jailed process needs any .so for startup, the path to those *.so
> needs to be world r-x, although the GID of the jail execute user
> is allowed to r/x the dirs, where the *.so files are to be found.
> there could be (ordering) errors with SET(e)GID in jail_* functions,
> because it works as expected when prefixing with "chroot -g test /".
> the EGID is dropped to the jail user's gid, but the GID is still 0!
> we end up with a jailed proc (UID=999, GID=0), which of course is
> not allowed to access the dirs for the *.so's to be loaded by exec.
> [see end of message for setup details]
> 
> === the symptom ===
> /jail# /jail/a.sh
> Shared object "libbsm.so.3" not found, required by "id"
> jail: /bin/id: failed
> 
> === details from truss ===
>   619: access("/lib/libbsm.so.3",0)              ERR#13 'Permission
denied'
>   619: access("/usr/lib/libbsm.so.3",0)          ERR#13 'Permission
denied'
> 
> === some UID/GID details from kdump ===
> /jail# grep -i '[g|s]et.*id' jail.kdump
> 64746 100091 jail     CALL  issetugid
> 64746 100091 jail     RET   issetugid 0
> 64746 100091 jail     CALL  issetugid
> 64746 100091 jail     RET   issetugid 0
> 64747 100093 jail     CALL  geteuid
> 64747 100093 jail     RET   geteuid 0
> 64747 100093 jail     CALL  setuid(0x3e7)
> 64747 100093 jail     RET   setuid 0
> 64747 100093 jail     CALL  getuid
> 64747 100093 jail     RET   getuid 999/0x3e7
> 64747 100093 jail     CALL  geteuid
> 64747 100093 jail     RET   geteuid 999/0x3e7
> 64747 100093 jail     CALL  getegid
> 64747 100093 jail     RET   getegid 999/0x3e7
> 64747 100093 jail     CALL  setegid(0x3e7)
> 64747 100093 jail     RET   setegid -1 errno 1 Operation not permitted
> 64747 100093 jail     CALL  seteuid(0x3e7)
> 64747 100093 jail     RET   seteuid 0
> 64747 100093 jail     CALL  seteuid(0x3e7)
> 64747 100093 jail     RET   seteuid 0
> 64747 100093 jail     CALL  setegid(0x3e7)
> 64747 100093 jail     RET   setegid -1 errno 1 Operation not permitted
> 64747 100093 id       CALL  issetugid
> 64747 100093 id       RET   issetugid 1
> 
> === proof 1: chroot fixes the jail .so load problem ===
> # outside the jail - just to know what's changing:
> /jail# chroot -g test / id
> uid=0(root) gid=0(wheel) egid=999(test) groups=999(test),5(operator)
> # inside the jail - this is our "fix":
> /jail# chroot -g test / /jail/a.sh
> uid=999 gid=999(test) groups=999(test)
> 
> === proof 2: chmod fixes *.so load, but GID=0 here! ===
> if i chmod the jail homedir and jail's lib dir, it works:
> /jail# chmod a+rx /jail /jail/lib
> /jail# ./a.sh
> uid=999 gid=0(wheel) egid=999(test) groups=999(test)
> 
> user and group names are read fine from the jailed "id",
> although the file perms are as listed beyond.
> 
> is this a bug or am i missing something?
> any help/info/enlightenment appreciated ;-)
> [just reply to the list, i'm on it]
> 
> 
> ==== CONFIG (tested 3 different times with GENERIC and a CUSTOM kernel):
> LiveCD install source: FreeBSD-10.1-RELEASE-amd64-disc1.iso
> sha256:
> 0c3d64ce48c3ef761761d0fea07e1935e296f8c045c249118bc91a7faf053a6b
> fresh install on 2 different ESXi 5.5 hosts and a 3rd physical PC.
> only base.tgz+kernel.tgz or liveCD, tried on UFS2 (gpt) and tmpfs.
> i used the www user and tmpfs on the liveCD, but everything else was the
> same.
> 
> === the test user ===
> /jail# id -P test
> test:*:999:999::0:0:User &:/home/test:/bin/sh
> 
> === the jail (before the mentioned chmod) ===
> /jail# ls -Ralo
> total 68
> dr-xr-xr-x   6 root  test   -   512 Dec  7 01:02 .
> drwxr-xr-x  19 root  wheel  -   512 Dec  7 00:06 ..
> -rwx------   1 root  test   -   773 Dec  7 01:00 a.sh
> dr-xr-x---   2 root  test   -   512 Dec  6 23:58 bin
> drwxr-x---   2 root  test   -   512 Dec  7 01:01 etc
> -rw-r-----   1 root  test   - 37157 Dec  7 01:02 jail.truss
> dr-xr-xr-x   2 root  test   -   512 Dec  6 23:59 lib
> dr-xr-x---   2 root  test   -   512 Dec  7 00:00 libexec
> 
> ./bin:
> total 24
> dr-xr-x---  2 root  test  -   512 Dec  6 23:58 .
> dr-xr-xr-x  6 root  test  -   512 Dec  7 01:02 ..
> -r-xr-x---  1 root  test  - 12432 Nov 11 22:03 id
> 
> ./etc:
> total 60
> drwxr-x---  2 root  test  -   512 Dec  7 01:01 .
> dr-xr-xr-x  6 root  test  -   512 Dec  7 01:02 ..
> -rw-r-----  1 root  test  -   473 Dec  7 00:04 group
> -rw-r-----  1 root  test  -   321 Dec  7 01:01 nsswitch.conf
> -rw-r-----  1 root  test  -  1570 Dec  7 00:27 passwd
> -rw-------  1 root  test  - 40960 Dec  7 00:27 spwd.db
> 
> ./lib:
> total 1744
> dr-xr-xr-x  2 root  test  -     512 Dec  6 23:59 .
> dr-xr-xr-x  6 root  test  -     512 Dec  7 01:02 ..
> -r--r-----  1 root  test  -  106264 Nov 11 22:03 libbsm.so.3
> -r--r-----  1 root  test  - 1631216 Nov 11 22:03 libc.so.7
> 
> ./libexec:
> total 124
> dr-xr-x---  2 root  test  -    512 Dec  7 00:00 .
> dr-xr-xr-x  6 root  test  -    512 Dec  7 01:02 ..
> -r-xr-x---  1 root  test  - 118520 Nov 11 22:03 ld-elf.so.1
> 
> 
> === the start command ====
> /jail# cat a.sh
> 
> umask 027;
> rm -f /jail/jail.truss /jail/jail.kdump /jail/jail.ktrace
> 
> #/usr/bin/truss -f -e -a -o /jail/jail.truss -s 1000    \
> ktrace -d -f /jail/jail.ktrace -i -t cinpstuy   \
> jail -c jid=1                   \
> name=test                \
> path=/jail               \
> ip4.addr=1.1.1.1                \
> host.hostuuid=c91e438a-1a44-4b7e-8732-0441ca9e2b97      \
> host.hostid=6146666201             \
> allow.sysvipc=0                 \
> allow.raw_sockets=0                \
> exec.jail_user=test                \
> exec.system_user=test              \
> exec.system_jail_user=true              \
> host.hostname=test                 \
> host.domainname=test.me                \
> allow.set_hostname=0               \
> allow.chflags=0                 \
> allow.mount=0                   \
> allow.quotas=0                  \
> allow.socket_af=0                  \
> enforce_statfs=2                \
> ip4=new                 \
> ip6=disable              \
> command=/bin/id                 \
> 
> kdump -H -f /jail/jail.ktrace >/jail/jail.kdump
> 
> ===  EOM ===
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001d01495$8b36ee60$a1a4cb20$>