From owner-freebsd-bugs@FreeBSD.ORG Wed Aug 11 12:20:31 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0748816A58C for ; Wed, 11 Aug 2004 12:20:31 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4D9F43D5A for ; Wed, 11 Aug 2004 12:20:30 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7BCKUw0093669 for ; Wed, 11 Aug 2004 12:20:30 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7BCKU2d093668; Wed, 11 Aug 2004 12:20:30 GMT (envelope-from gnats) Resent-Date: Wed, 11 Aug 2004 12:20:30 GMT Resent-Message-Id: <200408111220.i7BCKU2d093668@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Marcin Koziej Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FB7816A4CE for ; Wed, 11 Aug 2004 12:18:12 +0000 (GMT) Received: from niobe.desk.pl (h4x0r5.h4ck.biz [62.233.238.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFA5643D5A for ; Wed, 11 Aug 2004 12:18:10 +0000 (GMT) (envelope-from creep@dream.theater.eu.org) Received: from 183-mo3-1.acn.waw.pl (unknown [62.233.164.218]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by niobe.desk.pl (Postfix) with ESMTP id 2666136E6F for ; Wed, 11 Aug 2004 14:17:45 +0200 (CEST) Received: by 183-mo3-1.acn.waw.pl (FreeLSD); Wed, 11 Aug 2004 14:17:06 +0200 Message-Id: <20040811121745.2666136E6F@niobe.desk.pl> Date: Wed, 11 Aug 2004 14:17:06 +0200 From: Marcin Koziej To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/70298: manipulation of ufs system flags in jail(8) is permitted for super user X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Marcin Koziej List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2004 12:20:31 -0000 >Number: 70298 >Category: kern >Synopsis: manipulation of ufs system flags in jail(8) is permitted for super user >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 11 12:20:30 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Marcin Koziej >Release: FreeBSD 5.2.1-RELEASE-p9 i386 >Organization: DESK.pl >Environment: System: FreeBSD mistress 5.2.1-RELEASE-p9 FreeBSD 5.2.1-RELEASE-p9 #0: Fri Jul 30 02:52:09 CEST 2004 creep@mistress:/usr/src/sys/i386/compile/MONSUN i386 >Description: Uid 0 user can modify system flags in jail, which shouldn't happen according to sys/ufs/ufs/ufs_vnops.c:498 /* * Unprivileged processes and privileged processes in * jail() are not permitted to unset system flags, or * modify flags if any system flags are set. * Privileged non-jail processes may not modify system flags * if securelevel > 0 and any existing system flags are set. */ but after that there is: if (!suser_cred(cred, PRISON_ROOT)) { (code for unprivileged) } else { (code for superuser) } PRISON_ROOT flag makes uid 0 in jail(8) privileged and should be replaced with 0. >How-To-Repeat: root:~:# uname -a; id; ps awux |grep $$ FreeBSD mistress 5.2.1-RELEASE-p9 FreeBSD 5.2.1-RELEASE-p9 #0: Fri Jul 30 02:52:09 CEST 2004 creep@mistress:/usr/src/sys/i386/compile/MONSUN i386 uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator) root 633 0,0 1,3 2244 1608 p7 Ss 13:23 0:00,05 /usr/local/bin/zsh -i root 637 0,0 0,2 424 212 p7 DL+ 13:23 0:00,01 grep 633 root:~:# touch test; ls -lo test -rw-r--r-- 1 root wheel - 0 11 Sie 13:24 test root:~:# chflags schg test; ls -lo test -rw-r--r-- 1 root wheel schg 0 11 Sie 13:24 test root:~:# jail / test 127.0.0.1 $SHELL root:/:# ps awux |grep $$ root 642 0,0 1,3 2244 1608 p7 SJ 13:24 0:00,06 /usr/local/bin/zsh root 644 0,0 0,6 1460 764 p7 DL+J 13:24 0:00,01 grep 642 root:/:# cd root:~:# ls -lo test -rw-r--r-- 1 root wheel schg 0 11 Sie 13:24 test root:~:# chflags noschg test; ls -lo test -rw-r--r-- 1 root wheel - 0 11 Sie 13:24 test root:~:# exit >Fix: To fix it PRISON_ROOT flag needs to be replaced with 0. ----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<---- --- sys/ufs/ufs/ufs_vnops.c.orig Tue Sep 23 15:52:43 2003 +++ sys/ufs/ufs/ufs_vnops.c Tue Sep 23 15:52:48 2003 @@ -502,7 +502,7 @@ * Privileged non-jail processes may not modify system flags * if securelevel > 0 and any existing system flags are set. */ - if (!suser_cred(cred, PRISON_ROOT)) { + if (!suser_cred(cred, 0)) { if (ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) { error = securelevel_gt(cred, 0); ----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<---- Also, an explicit description of what PRISON_ROOT flag do would prevent this kind of errors in the future. ----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<---- --- sys/kern/kern_prot.c.orig Wed Aug 11 13:56:29 2004 +++ sys/kern/kern_prot.c Wed Aug 11 13:58:54 2004 @@ -1227,7 +1227,8 @@ /* * Test whether the specified credentials imply "super-user" privilege. * Return 0 or EPERM. The flag argument is currently used only to - * specify jail interaction. + * specify jail interaction. PRISON_ROOT bit set in flag argument provides + * uid 0 in jail with "super-user" privilege. */ int suser_cred(struct ucred *cred, int flag) ----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<---- suser_cred with PRISON_ROOT is called in various places in the kernel, maybe they should be revised. Big thanks to all FreeBSD developers for providing a great OS. -- m. >Release-Note: >Audit-Trail: >Unformatted: