From owner-freebsd-stable@FreeBSD.ORG  Wed Dec 28 09:24:33 2011
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 03A0C106564A;
	Wed, 28 Dec 2011 09:24:33 +0000 (UTC)
	(envelope-from dnaeon@gmail.com)
Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id B980C8FC12;
	Wed, 28 Dec 2011 09:24:32 +0000 (UTC)
Received: by obbwd18 with SMTP id wd18so12274454obb.13
	for <multiple recipients>; Wed, 28 Dec 2011 01:24:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	bh=h2LZpyDxHc47nms3ZbQGJwbDT/7G/P9kMk8J1e+D/LQ=;
	b=TGRFbuanxs0SJmrjHhZjvAZQJDjT75itkB//PbCtzmC1bSaK+cZ/azHrPw731UOQ6Y
	5kcJkRs2JNfkjJoo1xeiGLtu03cMJt/q1Sxdkio/69JJpsEMgN3U03RFR6zQMq71Ubo8
	aLvDrIFhNg2QrMMmNK+Ts8wlaa92ju3NcxH6g=
MIME-Version: 1.0
Received: by 10.182.117.97 with SMTP id kd1mr1620724obb.50.1325062723622; Wed,
	28 Dec 2011 00:58:43 -0800 (PST)
Received: by 10.182.116.41 with HTTP; Wed, 28 Dec 2011 00:58:43 -0800 (PST)
Date: Wed, 28 Dec 2011 10:58:43 +0200
Message-ID: <CAJ-UWtQnYWb8TUzk91Z+CxgfVsDM=WtBDrpP_V9pBnv7ar47Fw@mail.gmail.com>
From: Marin Atanasov Nikolov <dnaeon@gmail.com>
To: freebsd-security@freebsd.org, 
	ml-freebsd-stable <freebsd-stable@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: 
Subject: Escaping from a jail with root privileges on the host
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Dec 2011 09:24:33 -0000

Hello,

Today I've managed to escape from a jail by accident and ended up with
root access to the host's filesystem.

Here's what I did:

 * Using ezjail for managing my jails
 * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
 * This works only when I use sudo, and cannot reproduce if I execute
everything as root

First, created a folder *inside* the jail and cd to it:

 host$ sudo ezjail-admin console jail-test

 jail-test# id
 uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

 jail-test# mkdir ~/jail-folder
 jail-test# cd ~/jail-folder

 jail-test# pwd
 /root/jail-folder

Then from the host machine I've moved this folder to the cwd.

host$ pwd
/usr/home/mra

host$ sudo mv /home/jails/jail-test/root/jail-folder .

And then here's where the jail ends up :)

 jail-test# pwd
 /usr/home/mra/jail-folder

>From here on the Jail's root user has full root privileges to the
host's filesystem.

Not sure if it is sudo or jail issue, and would be nice if someone
with more experience can check this up :)

Regards,
Marin

-- 
Marin Atanasov Nikolov

dnaeon AT gmail DOT com
daemon AT unix-heaven DOT org
http://www.unix-heaven.org/