From owner-freebsd-security@FreeBSD.ORG  Tue May 10 21:01:27 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 23D0A1065670
	for <freebsd-security@freebsd.org>;
	Tue, 10 May 2011 21:01:27 +0000 (UTC)
	(envelope-from william@palfreman.com)
Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com
	[209.85.160.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 026938FC13
	for <freebsd-security@freebsd.org>;
	Tue, 10 May 2011 21:01:26 +0000 (UTC)
Received: by pwj8 with SMTP id 8so3947914pwj.13
	for <freebsd-security@freebsd.org>;
	Tue, 10 May 2011 14:01:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.63.2 with SMTP id c2mr1584025pbs.54.1305059508918; Tue, 10
	May 2011 13:31:48 -0700 (PDT)
Received: by 10.68.51.194 with HTTP; Tue, 10 May 2011 13:31:48 -0700 (PDT)
In-Reply-To: <20110510174910.64E48B827@mail.bitblocks.com>
References: <20051.1305023864@critter.freebsd.dk> <86k4dy31v7.fsf@ds4.des.no>
	<20110510174910.64E48B827@mail.bitblocks.com>
Date: Tue, 10 May 2011 22:31:48 +0200
Message-ID: <BANLkTimipYmJ3hczPE3-QmqKOu9W9iFUQQ@mail.gmail.com>
From: William Palfreman <william@palfreman.com>
To: Bakul Shah <bakul@bitblocks.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: Jamie Landeg Jones <jamie@bishopston.net>, feld@feld.me,
	Edho P Arief <edhoprima@gmail.com>, freebsd-security@freebsd.org,
	Poul-Henning Kamp <phk@phk.freebsd.dk>,
	=?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= <des@des.no>, utisoft@gmail.com
Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2011 21:01:27 -0000

On 10 May 2011 19:49, Bakul Shah <bakul@bitblocks.com> wrote:
> Dumb question: the jail command can refuse to run unless the
> parent of a jail root is 0700. Would that work? No kernel hack
> required.

If you do that then you can't us the jail with a non-root jailed user,
and I never want to give what is running in a jail anything more than
very unprivileged access.

All I do is this:
/var - as normal
/var/jails - 0700
/var/jails/jail1 - 0755
/var/jails/jail2 - 0755
etc.

If an unprivialged user outside the jail was also root inside the
jail, he wouldn't be able to get into the /var/jails directory to do
any suid rooting.