From owner-freebsd-bugs@FreeBSD.ORG Wed Aug 13 18:10:20 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAE2237B401 for ; Wed, 13 Aug 2003 18:10:20 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF57443FAF for ; Wed, 13 Aug 2003 18:10:19 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7E1AJUp077240 for ; Wed, 13 Aug 2003 18:10:19 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7E1AJuu077239; Wed, 13 Aug 2003 18:10:19 -0700 (PDT) Resent-Date: Wed, 13 Aug 2003 18:10:19 -0700 (PDT) Resent-Message-Id: <200308140110.h7E1AJuu077239@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, mjoyner Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AEF137B401 for ; Wed, 13 Aug 2003 18:04:09 -0700 (PDT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B2E243F3F for ; Wed, 13 Aug 2003 18:04:08 -0700 (PDT) (envelope-from mjoyner@rv1.dynip.com) Received: from duron.rv1.dynip.com (c-66-177-119-177.se.client2.attbi.com[66.177.119.177](untrusted sender)) by attbi.com (rwcrmhc12) with ESMTP id <2003081401040701400e1gide>; Thu, 14 Aug 2003 01:04:07 +0000 Received: from rv1.dynip.com (localhost [127.0.0.1]) by duron.rv1.dynip.com (8.12.9/8.12.9) with ESMTP id h7E146Uc004540 for ; Wed, 13 Aug 2003 21:04:07 -0400 (EDT) (envelope-from mjoyner@rv1.dynip.com) Message-Id: <3F3AE006.3040400@rv1.dynip.com> Date: Wed, 13 Aug 2003 21:04:06 -0400 From: mjoyner To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/55568: DUMP has access to block devices in a JAIL X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2003 01:10:21 -0000 >Number: 55568 >Category: kern >Synopsis: DUMP can be used in JAIL >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 13 18:10:18 PDT 2003 >Closed-Date: >Last-Modified: >Originator: System Administrator >Release: FreeBSD 5.1-RELEASE i386 >Organization: >Environment: System: FreeBSD eadmin.dyns.net 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Mon Aug 11 15:5 3:58 EDT 2003 sysadmin@eadmin.dyns.net:/usr/src/sys/i386/compile/kernel.build.conf i386 >Description: A jailed root user can use DUMP and gain a snapshot of the entire disk. From there the jailed root user can restore files from the HOST SYSTEM or any other jails at their leisure. Even if DEVFS is not mounted, a root user could possibly create a device node anyways, and one needs TTYS anyways. Some sort of check is not occurring in the disk access code that is needed to prevent JAILED users ANY raw access to the disk. >How-To-Repeat: Run DUMP in a jailed environment. >Fix: Add security checks on device access to prevent jailed users from gaining access to things they don't need access to. If this is a setting which can be changed, the default behavior needs to be more security conscious, or at least very very very clearly documented. >Release-Note: >Audit-Trail: >Unformatted: