From owner-freebsd-security@FreeBSD.ORG Thu Jan 15 19:00:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBAAD1065672 for ; Thu, 15 Jan 2009 19:00:42 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.174]) by mx1.freebsd.org (Postfix) with ESMTP id A2B798FC2C for ; Thu, 15 Jan 2009 19:00:42 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: by wf-out-1314.google.com with SMTP id 24so1329822wfg.7 for ; Thu, 15 Jan 2009 11:00:42 -0800 (PST) Received: by 10.142.14.18 with SMTP id 18mr652765wfn.35.1232044310358; Thu, 15 Jan 2009 10:31:50 -0800 (PST) Received: by 10.143.155.19 with HTTP; Thu, 15 Jan 2009 10:31:50 -0800 (PST) Message-ID: Date: Thu, 15 Jan 2009 12:31:50 -0600 From: "Jon Passki" To: utisoft@gmail.com In-Reply-To: MIME-Version: 1.0 References: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Thoughts on jail privilege (FAQ submission) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2009 19:00:43 -0000 On Thu, Jan 15, 2009 at 11:09 AM, Chris Rees wrote: > Hey all, > > I think that there should be a warning (on the jail man page or > handbook page perhaps), on setuid in jails. Ex: > > John <-- user on the (host) server > > I give John root access to a jail (just for him to play with), and he > then sets vi (for example) to setuid root. He then sshs into the host, > and uses > > $ /usr/jail/johnsandbox/usr/bin/vi /usr/local/etc/sudoers > > He now has root! > > Am I completely thick not to have noticed this, or should there be a > warning about people being allowed to have root in a jail where they > have unprivileged access to the host? Or have I missed the point of a > jail? > Nice catch! My SOP is to chmod 700 on the directory hosting the jails. Your example is a file system issue that is shared between multiple levels of trust for one user. FreeBSD jails do not offer protection on the file system space outside of the jail. This should be documented as a gotcha, though. Another thing to think about is user IDs. You could have a user ID in your host of 1001. Your jail could have a completely different user account, but collide on the user ID of 1001. Your host user ID 1001 will have access to those jail user ID 1001 files, unless you restrict a parent directory. That was the use case I came across and avoided. Jon