From owner-freebsd-bugs Tue Feb 11 21:30:10 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A03D37B401 for ; Tue, 11 Feb 2003 21:30:08 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4146543F85 for ; Tue, 11 Feb 2003 21:30:07 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h1C5U7NS024020 for ; Tue, 11 Feb 2003 21:30:07 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h1C5U79p024019; Tue, 11 Feb 2003 21:30:07 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F020737B401 for ; Tue, 11 Feb 2003 21:23:58 -0800 (PST) Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13CF543FDD for ; Tue, 11 Feb 2003 21:23:00 -0800 (PST) (envelope-from mooneer@translator.cx) Received: from pool0312.cvx31-bradley.dialup.earthlink.net ([209.179.147.57] helo=morpheus) by scaup.mail.pas.earthlink.net with smtp (Exim 3.33 #1) id 18ipMJ-0004TY-00 for FreeBSD-gnats-submit@freebsd.org; Tue, 11 Feb 2003 21:22:59 -0800 Message-Id: Date: Tue, 11 Feb 2003 21:22:55 -0800 From: "Mooneer Salem" To: Subject: kern/48198: Non-jailed users can kill processes owned by same UID Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 48198 >Category: kern >Synopsis: Non-jailed users can kill processes owned by same UID >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Feb 11 21:30:06 PST 2003 >Closed-Date: >Last-Modified: >Originator: Mooneer Salem >Release: FreeBSD 5.0-RELEASE-p1 i386 >Organization: >Environment: System: FreeBSD pacific.lifeafterking.org 5.0-RELEASE-p1 FreeBSD 5.0-RELEASE-p1 #0: Tue Feb 11 17:02:49 MST 200 3 mooneer@pacific.lifeafterking.org:/usr/src.dirty/sys/i386/compile/VMWARE-SER VER i386 >Description: When a process is running inside a jail that is owned by a UID that exists outside of the jail as well as inside, the outside user is able to kill that process, even if both users are not the same person. If this is the case, this could cause people to be more than slightly annoyed. >How-To-Repeat: Create a full jail per the jail(8) instructions, and then create a user inside the jail that has the same UID as a user outside of it. Log into the jail as that user and start a program such as vi, and then go outside and as the outside user (not as root), run kill [pid], where [pid] is the process ID of the jailed process. >Fix: Apply this patch and recompile the kernel: --- src.virgin/sys/kern/kern_jail.c Thu Dec 19 02:40:10 2002 +++ src.dirty/sys/kern/kern_jail.c Tue Feb 11 21:53:11 2003 @@ -221,6 +352,12 @@ return (ESRCH); if (cred2->cr_prison != cred1->cr_prison) return (ESRCH); + } else { + /* This is necessary because it appears if a process is running in + a jail and the process is running under the same UID as the user, + kill() will actually kill it. */ + if (jailed(cred2) && cred1->cr_ruid != 0) + return (ESRCH); } return (0); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message