Date: Sat, 13 Dec 2014 12:59:33 -0700 From: James Gritton <jamie@freebsd.org> To: freebsd-questions@freebsd.org Subject: Re: freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped completely Message-ID: <5f292bdb8f6779ab8868d51d8dbce7c3@gritton.org> In-Reply-To: <042a01d011bd$e4cb1530$ae613f90$@mgedv.net> References: <042a01d011bd$e4cb1530$ae613f90$@mgedv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2014-12-06 18:34, no@spam@mgEDV.net wrote: > hi guys, > > as the "real" application faces the same problems, i created a test > jail on a clean box just to check the behaviour using "/usr/bin/id". > > problem description (hopefully i nailed it): > if a jailed process needs any .so for startup, the path to those *.so > needs to be world r-x, although the GID of the jail execute user > is allowed to r/x the dirs, where the *.so files are to be found. > there could be (ordering) errors with SET(e)GID in jail_* functions, > because it works as expected when prefixing with "chroot -g test /". > the EGID is dropped to the jail user's gid, but the GID is still 0! > we end up with a jailed proc (UID=999, GID=0), which of course is > not allowed to access the dirs for the *.so's to be loaded by exec. > [see end of message for setup details] There does indeed seem to be a missing setgid() in jail (compared to jexec, which gets it right). Could you please file a big report on this? Then I'll get it fixed up. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5f292bdb8f6779ab8868d51d8dbce7c3>