From owner-freebsd-security@FreeBSD.ORG Tue May 10 01:12:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60FC11065673 for ; Tue, 10 May 2011 01:12:55 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 12C908FC0A for ; Tue, 10 May 2011 01:12:54 +0000 (UTC) Received: by iyj12 with SMTP id 12so6852299iyj.13 for ; Mon, 09 May 2011 18:12:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=YgozxltYDZOqVNpTnpTAJ6mLsDhN+TUom5wJ3qlXWYM=; b=K1lLKjyn1WfQcqS5VNqhofkCTGT+ZDZnLITuvOhbjjOA5/fItJzsuEyU5Cv5UDEN/a xCzHwAPurdqnQKzdtVwURL0AQVwvJIu2UWZtw6b8zaDzefgSntHzV7ThjF5qDROJkqPP 5EDt53saWMXjT9rduLsL9c34fmNIXi/UQi3pE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=V77fqkc1yIVQiGFHN/YBjxc0w317YyUNx/0m/kFztprOlZZlshx4BJQuOIcyfOFJIK iZvU5Y5XvuL9MKXgR4Th1dErMt4WGn2XD8lI3snhPOpauKaHHZbIfqflP27FAYMX2yqc zvKN2KzK/DH/ovLe89gubATKT2+diPCRW70lw= Received: by 10.231.11.68 with SMTP id s4mr3721114ibs.152.1304989974096; Mon, 09 May 2011 18:12:54 -0700 (PDT) Received: from DataIX.net (adsl-99-190-84-116.dsl.klmzmi.sbcglobal.net [99.190.84.116]) by mx.google.com with ESMTPS id gx2sm2858543ibb.26.2011.05.09.18.12.52 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 09 May 2011 18:12:53 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p4A1CnJM008679 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 May 2011 21:12:50 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p4A1Cnrv008678; Mon, 9 May 2011 21:12:49 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Mon, 9 May 2011 21:12:49 -0400 From: Jason Hellenthal To: Jamie Landeg Jones Message-ID: <20110510011249.GE2558@DataIX.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <201105091155.p49Bt604053259@catflap.bishopston.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZRyEpB+iJ+qUx0kp" Content-Disposition: inline In-Reply-To: <201105091155.p49Bt604053259@catflap.bishopston.net> X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: freebsd-security@freebsd.org, feld@feld.me, edhoprima@gmail.com, utisoft@gmail.com Subject: Re: Rooting FreeBSD , =?iso-8859-1?q?Privilege_Escalation_using_J?= =?iso-8859-1?q?ails_=28P=C3=AF=C2=BF=C2=BDtur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 01:12:55 -0000 --ZRyEpB+iJ+qUx0kp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jamie, On Mon, May 09, 2011 at 12:55:06PM +0100, Jamie Landeg Jones wrote: > > > A jail won't work for not-root users if the jail root directory is ch= mod 700 - although > > > there is obviously a 'chroot' running withing the jail, the jailed us= er still needs > > > to have read permission from the hosts / -- chmod 700 therefore locks= all non-root > > > users out. > > > > > > > It's weird - I don't remember having such problem after setting jails' > > root directory permission to 700. I don't have the system anymore so I > > can't verify it just yet. >=20 > I just tried it again (Freebsd 8.2) and I am wrong. >=20 > Setting 700 on the jail root does indeed mess things up. But setting it on > the parent (e.g. /usr/jails), and things are fine. >=20 > Stupidly of me, that makes perfect sense. The non-privileged user needs > read access to the jails "/" >=20 > Sorry for the spam In no-way is it spam. Consider it a 'test'imonial to others that may ask=20 that question in the future ;) Tip: Quick way to lock your system down to only root: ( chmod g=3D / )=20 ***Emergency Use Only**** "molly guard not present" "slippery when throbbed" Side effect of that is its not really nice for processes=20 that run with lower privileges and isn't always apparent why things are=20 not working correctly so its best to just use nologin or drop to SU.=20 --=20 Regards, (jhell) Jason Hellenthal --ZRyEpB+iJ+qUx0kp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNyJEQAAoJEJBXh4mJ2FR+j3IH/1gMoLoduCOvEV0p/ryJTN90 KaBSAk0qMciEAY9Qk7fbYVfbTTtAVoAMfMGt6xngjk39LPqvC4ID6UOPmYhhGtul G5p47MrS3BQ8BEOSp8qJY9l+R9arKMFpCMIfKXWmcHjgiN+thKM8Veifu+zgmn6q eD4Hemk4ae6c4TJmsVhUAJWMoeRRhBH1Y8eetj+79qStRrfu5xg56MsXKgwuoUiM nlmSNxP9eo0hTwp0zm5fWYoDr3d0f2cJiPC2U/8AHTzd5rro+gqMt/ACwe2ABkN/ GywfRys75ty8xvctysRyla+r0Ww1v1IcwaWClrvKTvYBl1gdALBa+tLuceqwF9g= =1KnA -----END PGP SIGNATURE----- --ZRyEpB+iJ+qUx0kp--