Date: Mon, 12 Apr 2010 17:14:16 -0600 From: "Erich Jenkins, Fuujin Group Ltd" <erich@fuujingroup.com> To: glarkin@FreeBSD.org Cc: =?UTF-8?B?S2FsbGUg?=, freebsd-bugs@freebsd.org, freebsd-jail@freebsd.org, =?UTF-8?B?TcO4bGxlcg==?= <freebsd-questions@k-moeller.dk>, smithi@nimnet.asn.au Subject: Re: jail file and directory permissions Message-ID: <4BC3A948.7010601@fuujingroup.com> In-Reply-To: <4BC31B31.6060201@FreeBSD.org> References: <4BC2C578.9080108@fuujingroup.com> <i2l8250ac3f1004120043ga734bbe0s952dda5712ea38a5@mail.gmail.com> <4BC2E662.1050007@fuujingroup.com> <4BC31B31.6060201@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Erich Jenkins, Fuujin Group Ltd wrote: >> Kalle Møller wrote: >> <snip> >>> Could you please make a command list on what your doing and with >>> output.. like this ... >>> >>> -- >>> >>> Med Venlig Hilsen >>> >>> Kalle R. Møller >> </snip> >> >> Here's what I'm seeing: >> >> jail0495> pwd >> /usr/home/testuser >> jail0495> ll >> -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history >> drwxr--r-- 2 root wheel 1024 Apr 12 02:22 testdir >> jail0495> users >> testuser >> jail0495> cd testdir >> jail0495> ll >> -rw-r--r-- 2 root wheel 4096 Apr 12 02:24 textfile.txt >> jail0495> rm textfile.txt >> override rw-r--r-- root/wheel for textfile.txt ? y >> jail0495> ll >> total 0 >> jail0495> >> >> As you can see, this is of great concern. >> > > Hi Erich, > > I use jails extensively on my company systems here, so I am interested > in this problem. I set up a test environment that I believe mirrors yours: > > jail54# pwd > /usr/home/glarkin > jail54# ls -al testdir > total 6 > drwxr--r-- 2 root wheel 512 Apr 12 08:52 . > drwxr-xr-x 5 glarkin glarkin 512 Apr 12 08:52 .. > - -rw-r--r-- 1 root wheel 7 Apr 12 08:52 foo.txt > jail54# # exit > [glarkin@jail54 ~]$ cd testdir > - -bash: cd: testdir: Permission denied > [glarkin@jail54 ~]$ rm testdir/foo.txt > rm: testdir/foo.txt: Permission denied > [glarkin@jail54 ~]$ rm -rf testdir > rm: testdir/foo.txt: Permission denied > rm: testdir: Directory not empty > > My situation is slightly different than yours, since my jails are based > on FreeBSD 6.4, instead of 7.x. > > As a first step to troubleshooting, please log in to your jail as your > non-privileged user, run the following commands from its home directory, > then post the permtest1.log and permtest2.log files somewhere that we > can review them: > > truss -f -a -s 256 -o permtest1.log cd testdir > > truss -f -a -s 256 -o permtest2.log rm testdir/textfile.txt > > Also run the "df" and "mount" commands from the user's home directory > inside the jail as well as from the same directory but outside of the > jail context. Please post the output of those commands somewhere as well. > > Thank you, > Greg > - -- > Greg Larkin > > http://www.FreeBSD.org/ - The Power To Serve > http://www.sourcehosting.net/ - Ready. Set. Code. > http://twitter.com/sourcehosting/ - Follow me, follow you > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iD8DBQFLwxsx0sRouByUApARAtTPAJ9sacXc0MdWT9CwYUXTBu7i+Ks+qwCePUN4 > D5EwzGjeAaCCdMMtsbr0G60= > =YPlm > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-bugs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs > To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org" Greg: Interestingly enough, this is what I get when running truss: truss: cannot open /proc/curproc/mem: No such file or directory truss: cannot open1 /proc/13713/mem: No such file or directory However, Ian made a suggestion that completely eluded me: simply look at the effective user and group info via id -p (which I should have done prior to posting in the first place, my apologies). The output was: jail0495> id -p login testuser uid root groups wheel rmtuser However, jail0495> users testuser So apparently, this install thinks the user has root privileges. Here's where it gets strange. I rebooted the box (this is in a lab), and logged back in as the user, but did not su to root. I did a few things that seem easy to follow from the command line, but please ask if anything is unclear: jail0495> id -p uid testuser groups rmtuser jail0495> pwd /usr/home/testuser jail0495> ll -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history drwxr-xr-x 2 root wheel 1024 Apr 12 02:22 testdir (this is a login with a user in the wheel group from another session) jail0495> su root Password: jail0495# cd testdir jail0495# ll total 0 jail0495# dd if=/dev/random of=testfile bs=10k count=1 1+0 records in 1+0 records out 10240 bytes transferred in 0.000632 secs (16207424 bytes/sec) jail0495# ll -rw-r--r-- 1 root wheel 10240 Apr 12 15:18 testfile jail0495# exit exit jail0495> exit (this is the end of that session) (back to the first session with the unprivileged user) jail0495> id -p login testuser uid root groups wheel rmtuser jail0495> users testuser jail0495> To be honest, my first thought was "What the hell is this!?!" So, I rebooted the box again after remembering something about user privilege escalation in an older release of NetBSD I had seen some years ago. (since we're talking jails, this problem is FreeBSD related, just to be clear) Now I get this after a fresh reboot: login as: testuser Using keyboard-interactive authentication. Password: Last login: Mon Apr 12 14:46:26 2010 from [ redacted ] <snip> jail0495> users testuser jail0495> pwd /usr/home/testuser jail0495> ll -rw------- 1 testuser rmtuser 1957 Apr 12 02:22 .history drwxr-xr-x 2 root wheel 1024 Apr 12 02:22 testdir jail0495> cd testdir jail0495> ll -rw-r--r-- 1 root wheel 10240 Apr 12 15:18 testfile jail0495> rm testfile override rw-r--r-- root/wheel for testfile ? y rm: testfile: Permission denied jail0495> But watch this after an su from another session: (testuser is NOT a member of the wheel group!! and this is not the su session, but the first login session) jail0495> id -p login testuser uid root groups wheel rmtuser jail0495> users testuser jail0495> rm testfile override rw-r--r-- root/wheel for testfile ? y jail0495> ll total 0 jail0495> It gets worse. I added another user not in the wheel group, and created another group for this new user. Then I logged in as this user, and as the other test user from another session. It appears that once there has been an SU to root, ALL users have root permissions regardless of their group membership or login privileges. Since this was a buildworld copied via NFS from a build environment, it appears that something has gone terribly wrong during the build. I'm going to wipe this machine and do a completely fresh install of 7.0-REL, buildworld, and set up a jail to see if something did indeed break, or if this is an actual bug. Thank you very much to everyone who's responded to this issue. Your input has been instrumental in helping troubleshoot this. I'll post as soon as the build completes and I have a chance to test this tonight. Erich M. Jenkins Fuujin Group Limited "You should never, never doubt what no one is sure about." -- Gene Wilder
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BC3A948.7010601>