Date: Tue, 11 Feb 2003 21:22:55 -0800 From: "Mooneer Salem" <mooneer@translator.cx> To: <FreeBSD-gnats-submit@FreeBSD.org> Subject: kern/48198: Non-jailed users can kill processes owned by same UID Message-ID: <FHEMJMOKKMJDGKFOHHEPCEEHEOAA.mooneer@translator.cx>
next in thread | raw e-mail | index | archive | help
>Number: 48198 >Category: kern >Synopsis: Non-jailed users can kill processes owned by same UID >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Feb 11 21:30:06 PST 2003 >Closed-Date: >Last-Modified: >Originator: Mooneer Salem >Release: FreeBSD 5.0-RELEASE-p1 i386 >Organization: >Environment: System: FreeBSD pacific.lifeafterking.org 5.0-RELEASE-p1 FreeBSD 5.0-RELEASE-p1 #0: Tue Feb 11 17:02:49 MST 200 3 mooneer@pacific.lifeafterking.org:/usr/src.dirty/sys/i386/compile/VMWARE-SER VER i386 >Description: When a process is running inside a jail that is owned by a UID that exists outside of the jail as well as inside, the outside user is able to kill that process, even if both users are not the same person. If this is the case, this could cause people to be more than slightly annoyed. >How-To-Repeat: Create a full jail per the jail(8) instructions, and then create a user inside the jail that has the same UID as a user outside of it. Log into the jail as that user and start a program such as vi, and then go outside and as the outside user (not as root), run kill [pid], where [pid] is the process ID of the jailed process. >Fix: Apply this patch and recompile the kernel: --- src.virgin/sys/kern/kern_jail.c Thu Dec 19 02:40:10 2002 +++ src.dirty/sys/kern/kern_jail.c Tue Feb 11 21:53:11 2003 @@ -221,6 +352,12 @@ return (ESRCH); if (cred2->cr_prison != cred1->cr_prison) return (ESRCH); + } else { + /* This is necessary because it appears if a process is running in + a jail and the process is running under the same UID as the user, + kill() will actually kill it. */ + if (jailed(cred2) && cred1->cr_ruid != 0) + return (ESRCH); } return (0); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FHEMJMOKKMJDGKFOHHEPCEEHEOAA.mooneer>