From owner-freebsd-security@FreeBSD.ORG Tue May 10 19:23:22 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1561F106564A for ; Tue, 10 May 2011 19:23:22 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [66.148.74.41]) by mx1.freebsd.org (Postfix) with ESMTP id C0D7A8FC0A for ; Tue, 10 May 2011 19:23:21 +0000 (UTC) X-Catflap-Envelope-From: Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p4AJLwP9086922; Tue, 10 May 2011 20:21:59 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p4AJLvQL086908; Tue, 10 May 2011 20:21:57 +0100 (BST) From: Jamie Landeg Jones Message-Id: <201105101921.p4AJLvQL086908@catflap.bishopston.net> Date: Tue, 10 May 2011 20:21:57 +0100 Organization: http://www.bishopston.com/jamie/ To: des@des.no, bakul@bitblocks.com References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no> <20110510174910.64E48B827@mail.bitblocks.com> In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97 at catflap.bishopston.net X-Virus-Status: Clean Cc: jamie@bishopston.net, jhell@DataIX.net, feld@feld.me, edhoprima@gmail.com, freebsd-security@freebsd.org, phk@phk.freebsd.dk, utisoft@gmail.com Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 19:23:22 -0000 > Dumb question: the jail command can refuse to run unless the > parent of a jail root is 0700. Would that work? No kernel hack > required. Haha, all talking about kernel hacks and so on, and yet, to me, that seems the simplest, but ALSO, the most elegent solution. I'd have some override flag that could be set for those who's jails are directly under an important folder, e.g. /usr/my-jail-name/ so that those unable to change straight away can set an rc/sysctl flag rather than have to hack the code.. Is this turning into a bikeshed discussion?