Date: Fri, 16 Jan 2009 17:29:18 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: utisoft@gmail.com Cc: freebsd-security@freebsd.org Subject: Re: Thoughts on jail privilege (FAQ submission) Message-ID: <87sknjjmlt.fsf@kobe.laptop> In-Reply-To: <b79ecaef0901150909t54acd194t8236ded99fa2150b@mail.gmail.com> (Chris Rees's message of "Thu, 15 Jan 2009 17:09:05 %2B0000") References: <b79ecaef0901150909t54acd194t8236ded99fa2150b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Jan 2009 17:09:05 +0000, "Chris Rees" <utisoft@googlemail.com> wrote: > Hey all, > > I think that there should be a warning (on the jail man page or > handbook page perhaps), on setuid in jails. Ex: > > John <-- user on the (host) server > > I give John root access to a jail (just for him to play with), and he > then sets vi (for example) to setuid root. He then sshs into the host, > and uses > > $ /usr/jail/johnsandbox/usr/bin/vi /usr/local/etc/sudoers > > He now has root! If the host system and the jail share the `john' user *and* you are sharing `/usr/local' as read-write between the host and the jail, then ``you are doing it wrong!''. But that's a good warning to add somewhere in the jail documentation :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87sknjjmlt.fsf>