From owner-freebsd-security@FreeBSD.ORG Tue May 10 17:24:30 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8EF201065670 for ; Tue, 10 May 2011 17:24:30 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4F0948FC08 for ; Tue, 10 May 2011 17:24:30 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 37E9B1FFC35; Tue, 10 May 2011 17:24:29 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 0D1378456D; Tue, 10 May 2011 19:24:29 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Poul-Henning Kamp" References: <20051.1305023864@critter.freebsd.dk> Date: Tue, 10 May 2011 19:24:28 +0200 In-Reply-To: <20051.1305023864@critter.freebsd.dk> (Poul-Henning Kamp's message of "Tue, 10 May 2011 10:37:44 +0000") Message-ID: <86k4dy31v7.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jamie Landeg Jones , Jason Hellenthal , feld@feld.me, Edho P Arief , freebsd-security@freebsd.org, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 17:24:30 -0000 "Poul-Henning Kamp" writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > >Jason Hellenthal writes: > > > Do you know if there is a way that chmod on / from within the jail co= uld > > > be prevented easily without breaking something ? Maybe not failing bu= t=20 > > > falling though and return 0 for any operation with the sole argument = of /. > > Not without adding explicit checks in the kernel. > I identified this issue back when I implemented jails and though long > and hard about adding a kernel hack to paste over this. [...] I > think we should stick to [Getty's rule] before adding more or less > random pieces of magic to the kernel. I vote no as well, but for a different reason: there are many other things the jailed root can do to the root directory, including flags, extended attributes, etc. (some of which are fs-dependent), and it would be difficult or impossible to identify all of them, not to mention those that aren't yet possible but will be in the future. Fixing just one (or two, or five) of them today might give users a false sense of security, which is inexcusable when we can give a *true* sense of security by telling them to "chmod 0700 $D/..". DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no