Date: Thu, 11 Dec 2014 08:15:54 +0800 From: Ernie Luzar <luzar722@gmail.com> To: "no@spam@mgedv.net" <nospam@mgedv.net> Cc: freebsd-questions@freebsd.org Subject: Re: freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped completely Message-ID: <5488E23A.9020002@gmail.com> In-Reply-To: <000001d01495$8b36ee60$a1a4cb20$@mgedv.net> References: <042a01d011bd$e4cb1530$ae613f90$@mgedv.net> <000001d01495$8b36ee60$a1a4cb20$@mgedv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[1]no@spam@mgedv.net wrote:
really, no one running jails on 10.1 with chmod o-rwx of the jail-home? ;-)
cheers
-----Original Message-----
From: [2]owner-freebsd-questions@freebsd.org [[3]mailto:owner-freebsd-
[4]questions@freebsd.org] On Behalf Of [5]no@spam@mgEDV.net
Sent: Sunday, December 07, 2014 2:34 AM
To: [6]freebsd-questions@freebsd.org
Subject: freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped
completely
hi guys,
as the "real" application faces the same problems, i created a test
jail on a clean box just to check the behaviour using "/usr/bin/id".
problem description (hopefully i nailed it):
if a jailed process needs any .so for startup, the path to those *.so
needs to be world r-x, although the GID of the jail execute user
is allowed to r/x the dirs, where the *.so files are to be found.
there could be (ordering) errors with SET(e)GID in jail_* functions,
because it works as expected when prefixing with "chroot -g test /".
the EGID is dropped to the jail user's gid, but the GID is still 0!
we end up with a jailed proc (UID=999, GID=0), which of course is
not allowed to access the dirs for the *.so's to be loaded by exec.
[see end of message for setup details]
=== the symptom ===
/jail# /jail/a.sh
Shared object "libbsm.so.3" not found, required by "id"
jail: /bin/id: failed
=== details from truss ===
619: access("/lib/libbsm.so.3",0) ERR#13 'Permission
denied'
619: access("/usr/lib/libbsm.so.3",0) ERR#13 'Permission
denied'
=== some UID/GID details from kdump ===
/jail# grep -i '[g|s]et.*id' jail.kdump
64746 100091 jail CALL issetugid
64746 100091 jail RET issetugid 0
64746 100091 jail CALL issetugid
64746 100091 jail RET issetugid 0
64747 100093 jail CALL geteuid
64747 100093 jail RET geteuid 0
64747 100093 jail CALL setuid(0x3e7)
64747 100093 jail RET setuid 0
64747 100093 jail CALL getuid
64747 100093 jail RET getuid 999/0x3e7
64747 100093 jail CALL geteuid
64747 100093 jail RET geteuid 999/0x3e7
64747 100093 jail CALL getegid
64747 100093 jail RET getegid 999/0x3e7
64747 100093 jail CALL setegid(0x3e7)
64747 100093 jail RET setegid -1 errno 1 Operation not permitted
64747 100093 jail CALL seteuid(0x3e7)
64747 100093 jail RET seteuid 0
64747 100093 jail CALL seteuid(0x3e7)
64747 100093 jail RET seteuid 0
64747 100093 jail CALL setegid(0x3e7)
64747 100093 jail RET setegid -1 errno 1 Operation not permitted
64747 100093 id CALL issetugid
64747 100093 id RET issetugid 1
=== proof 1: chroot fixes the jail .so load problem ===
# outside the jail - just to know what's changing:
/jail# chroot -g test / id
uid=0(root) gid=0(wheel) egid=999(test) groups=999(test),5(operator)
# inside the jail - this is our "fix":
/jail# chroot -g test / /jail/a.sh
uid=999 gid=999(test) groups=999(test)
=== proof 2: chmod fixes *.so load, but GID=0 here! ===
if i chmod the jail homedir and jail's lib dir, it works:
/jail# chmod a+rx /jail /jail/lib
/jail# ./a.sh
uid=999 gid=0(wheel) egid=999(test) groups=999(test)
user and group names are read fine from the jailed "id",
although the file perms are as listed beyond.
is this a bug or am i missing something?
any help/info/enlightenment appreciated ;-)
[just reply to the list, i'm on it]
==== CONFIG (tested 3 different times with GENERIC and a CUSTOM kernel):
LiveCD install source: FreeBSD-10.1-RELEASE-amd64-disc1.iso
sha256:
0c3d64ce48c3ef761761d0fea07e1935e296f8c045c249118bc91a7faf053a6b
fresh install on 2 different ESXi 5.5 hosts and a 3rd physical PC.
only base.tgz+kernel.tgz or liveCD, tried on UFS2 (gpt) and tmpfs.
i used the www user and tmpfs on the liveCD, but everything else was the
same.
=== the test user ===
/jail# id -P test
test:*:999:999::0:0:User &:/home/test:/bin/sh
=== the jail (before the mentioned chmod) ===
/jail# ls -Ralo
total 68
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 .
drwxr-xr-x 19 root wheel - 512 Dec 7 00:06 ..
-rwx------ 1 root test - 773 Dec 7 01:00 a.sh
dr-xr-x--- 2 root test - 512 Dec 6 23:58 bin
drwxr-x--- 2 root test - 512 Dec 7 01:01 etc
-rw-r----- 1 root test - 37157 Dec 7 01:02 jail.truss
dr-xr-xr-x 2 root test - 512 Dec 6 23:59 lib
dr-xr-x--- 2 root test - 512 Dec 7 00:00 libexec
./bin:
total 24
dr-xr-x--- 2 root test - 512 Dec 6 23:58 .
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 ..
-r-xr-x--- 1 root test - 12432 Nov 11 22:03 id
./etc:
total 60
drwxr-x--- 2 root test - 512 Dec 7 01:01 .
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 ..
-rw-r----- 1 root test - 473 Dec 7 00:04 group
-rw-r----- 1 root test - 321 Dec 7 01:01 nsswitch.conf
-rw-r----- 1 root test - 1570 Dec 7 00:27 passwd
-rw------- 1 root test - 40960 Dec 7 00:27 spwd.db
./lib:
total 1744
dr-xr-xr-x 2 root test - 512 Dec 6 23:59 .
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 ..
-r--r----- 1 root test - 106264 Nov 11 22:03 libbsm.so.3
-r--r----- 1 root test - 1631216 Nov 11 22:03 libc.so.7
./libexec:
total 124
dr-xr-x--- 2 root test - 512 Dec 7 00:00 .
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 ..
-r-xr-x--- 1 root test - 118520 Nov 11 22:03 ld-elf.so.1
=== the start command ====
/jail# cat a.sh
umask 027;
rm -f /jail/jail.truss /jail/jail.kdump /jail/jail.ktrace
#/usr/bin/truss -f -e -a -o /jail/jail.truss -s 1000 \
ktrace -d -f /jail/jail.ktrace -i -t cinpstuy \
jail -c jid=1 \
name=test \
path=/jail \
ip4.addr=1.1.1.1 \
host.hostuuid=c91e438a-1a44-4b7e-8732-0441ca9e2b97 \
host.hostid=6146666201 \
allow.sysvipc=0 \
allow.raw_sockets=0 \
exec.jail_user=test \
exec.system_user=test \
exec.system_jail_user=true \
host.hostname=test \
host.domainname=test.me \
allow.set_hostname=0 \
allow.chflags=0 \
allow.mount=0 \
allow.quotas=0 \
allow.socket_af=0 \
enforce_statfs=2 \
ip4=new \
ip6=disable \
command=/bin/id \
kdump -H -f /jail/jail.ktrace >/jail/jail.kdump
=== EOM ===
First off I can not give you an answer of the type your looking for.
But I run 47 jails {a jail per class room student] all built using
qjail on a 10.0 system without any problems.
So my guess is your problem may be related to the way you built your
jail directory filesystem.
Secondly you have way too many jail.conf statements that are not needed
to define a jail.
All the statements that end in =0 do not need the =0, just the
statement name will work.
allow.sysvipc, and allow.raw_sockets options break the security of the
jail and should
never be used on a production jail accepting traffic from the public
internet.
When you start a jail you should us the jails name not the JID that you
hope is correct.
You may be interested in the jail-primer port. It provides jail
documentation that should be in the handbook.
[7]http://jail-primer.sourceforge.net/
Try building your jail using qjail or the jail-primer scripts to see if
your problem goes away.
Good luck
References
1. mailto:no@spam@mgedv.net
2. mailto:owner-freebsd-questions@freebsd.org
3. mailto:owner-freebsd
4. mailto:questions@freebsd.org
5. mailto:no@spam@mgEDV.net
6. mailto:freebsd-questions@freebsd.org
7. http://jail-primer.sourceforge.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5488E23A.9020002>