Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Feb 2003 21:22:55 -0800
From:      "Mooneer Salem" <mooneer@translator.cx>
To:        <FreeBSD-gnats-submit@FreeBSD.org>
Subject:   kern/48198: Non-jailed users can kill processes owned by same UID
Message-ID:  <FHEMJMOKKMJDGKFOHHEPCEEHEOAA.mooneer@translator.cx>

next in thread | raw e-mail | index | archive | help

>Number:         48198
>Category:       kern
>Synopsis:       Non-jailed users can kill processes owned by same UID
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 11 21:30:06 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Mooneer Salem
>Release:        FreeBSD 5.0-RELEASE-p1 i386
>Organization:
>Environment:
System: FreeBSD pacific.lifeafterking.org 5.0-RELEASE-p1 FreeBSD
5.0-RELEASE-p1 #0: Tue Feb 11 17:02:49 MST 200
3
mooneer@pacific.lifeafterking.org:/usr/src.dirty/sys/i386/compile/VMWARE-SER
VER i386

>Description:
        When a process is running inside a jail that is owned by a UID that
exists outside of
        the jail as well as inside, the outside user is able to kill that
process, even if
        both users are not the same person. If this is the case, this could
cause people to be
        more than slightly annoyed.

>How-To-Repeat:
        Create a full jail per the jail(8) instructions, and then create a
user inside the jail
        that has the same UID as a user outside of it. Log into the jail as
that user and start
        a program such as vi, and then go outside and as the outside user
(not as root), run
        kill [pid], where [pid] is the process ID of the jailed process.

>Fix:
        Apply this patch and recompile the kernel:

--- src.virgin/sys/kern/kern_jail.c     Thu Dec 19 02:40:10 2002
+++ src.dirty/sys/kern/kern_jail.c      Tue Feb 11 21:53:11 2003
@@ -221,6 +352,12 @@
                        return (ESRCH);
                if (cred2->cr_prison != cred1->cr_prison)
                        return (ESRCH);
+       } else {
+               /* This is necessary because it appears if a process is
running in
+                  a jail and the process is running under the same UID as
the user,
+                  kill() will actually kill it. */
+               if (jailed(cred2) && cred1->cr_ruid != 0)
+                       return (ESRCH);
        }

        return (0);


>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FHEMJMOKKMJDGKFOHHEPCEEHEOAA.mooneer>