From owner-freebsd-security@FreeBSD.ORG  Tue May 10 12:20:10 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CAEC9106566B
	for <freebsd-security@freebsd.org>;
	Tue, 10 May 2011 12:20:10 +0000 (UTC)
	(envelope-from jamie@bishopston.net)
Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net
	[66.148.74.41]) by mx1.freebsd.org (Postfix) with ESMTP id 7E19D8FC17
	for <freebsd-security@freebsd.org>;
	Tue, 10 May 2011 12:20:10 +0000 (UTC)
X-Catflap-Envelope-From: <jamie@catflap.bishopston.net>
Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1])
	by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p4ACIjfR033824; 
	Tue, 10 May 2011 13:18:45 +0100 (BST)
	(envelope-from jamie@catflap.bishopston.net)
Received: (from jamie@localhost)
	by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p4ACIio8033823;
	Tue, 10 May 2011 13:18:44 +0100 (BST)
From: Jamie Landeg Jones <jamie@bishopston.net>
Message-Id: <201105101218.p4ACIio8033823@catflap.bishopston.net>
Date: Tue, 10 May 2011 13:18:44 +0100
Organization: http://www.bishopston.com/jamie/
To: jhell@DataIX.net, des@des.no
References: <op.vu2g4b0k34t2sn@tech304>
	<BANLkTikJgPt4SM_B_7drpgFvO8RkvXaOtw@mail.gmail.com>
	<201105072231.p47MVktY035491@catflap.bishopston.net>
	<BANLkTikgnqXB4pdvCd9j9n7pFvg=n5FrdQ@mail.gmail.com>
	<20110508075203.GA61754@DataIX.net>
	<BANLkTi=8by=rtbNUDtA8CRSMJsmgPOR2XA@mail.gmail.com>
	<20110508173931.GA2757@DataIX.net> <86fwoof8lj.fsf@ds4.des.no>
	<BANLkTi=-0=L0MmezOCa=tiv6DrwHYZ83AQ@mail.gmail.com>
	<86zkmwdpdl.fsf@ds4.des.no> <20110509144947.GB77054@DataIX.net>
In-Reply-To: <20110509144947.GB77054@DataIX.net>
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.97 at catflap.bishopston.net
X-Virus-Status: Clean
Cc: jamie@bishopston.net, freebsd-security@freebsd.org, feld@feld.me,
	edhoprima@gmail.com, utisoft@gmail.com
Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2011 12:20:10 -0000


> Do you know if there is a way that chmod on / from within the jail could 
> be prevented easily without breaking something ? Maybe not failing but 
> falling though and return 0 for any operation with the sole argument of /.

Enforcing 700 on the jail root?

Whilst I was wrong on chmod 700 on (say) /usr/jails it is still the case
that the root directory of the jail itself (/usr/jail/jailname) has to
be 755 for non-root processeses within the jail to access the filesystem!

cheers,
Jamie