Date: Mon, 9 May 2011 21:12:49 -0400 From: Jason Hellenthal <jhell@DataIX.net> To: Jamie Landeg Jones <jamie@bishopston.net> Cc: freebsd-security@freebsd.org, feld@feld.me, edhoprima@gmail.com, utisoft@gmail.com Subject: Re: Rooting FreeBSD , =?iso-8859-1?q?Privilege_Escalation_using_J?= =?iso-8859-1?q?ails_=28P=C3=AF=C2=BF=C2=BDtur=29?= Message-ID: <20110510011249.GE2558@DataIX.net> In-Reply-To: <201105091155.p49Bt604053259@catflap.bishopston.net> References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> <op.vu2g4b0k34t2sn@tech304> <BANLkTikJgPt4SM_B_7drpgFvO8RkvXaOtw@mail.gmail.com> <201105072231.p47MVktY035491@catflap.bishopston.net> <BANLkTikgnqXB4pdvCd9j9n7pFvg=n5FrdQ@mail.gmail.com> <201105091155.p49Bt604053259@catflap.bishopston.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Jamie, On Mon, May 09, 2011 at 12:55:06PM +0100, Jamie Landeg Jones wrote: > > > A jail won't work for not-root users if the jail root directory is chmod 700 - although > > > there is obviously a 'chroot' running withing the jail, the jailed user still needs > > > to have read permission from the hosts / -- chmod 700 therefore locks all non-root > > > users out. > > > > > > > It's weird - I don't remember having such problem after setting jails' > > root directory permission to 700. I don't have the system anymore so I > > can't verify it just yet. > > I just tried it again (Freebsd 8.2) and I am wrong. > > Setting 700 on the jail root does indeed mess things up. But setting it on > the parent (e.g. /usr/jails), and things are fine. > > Stupidly of me, that makes perfect sense. The non-privileged user needs > read access to the jails "/" > > Sorry for the spam In no-way is it spam. Consider it a 'test'imonial to others that may ask that question in the future ;) Tip: Quick way to lock your system down to only root: ( chmod g= / ) ***Emergency Use Only**** "molly guard not present" "slippery when throbbed" Side effect of that is its not really nice for processes that run with lower privileges and isn't always apparent why things are not working correctly so its best to just use nologin or drop to SU. -- Regards, (jhell) Jason Hellenthal [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNyJEQAAoJEJBXh4mJ2FR+j3IH/1gMoLoduCOvEV0p/ryJTN90 KaBSAk0qMciEAY9Qk7fbYVfbTTtAVoAMfMGt6xngjk39LPqvC4ID6UOPmYhhGtul G5p47MrS3BQ8BEOSp8qJY9l+R9arKMFpCMIfKXWmcHjgiN+thKM8Veifu+zgmn6q eD4Hemk4ae6c4TJmsVhUAJWMoeRRhBH1Y8eetj+79qStRrfu5xg56MsXKgwuoUiM nlmSNxP9eo0hTwp0zm5fWYoDr3d0f2cJiPC2U/8AHTzd5rro+gqMt/ACwe2ABkN/ GywfRys75ty8xvctysRyla+r0Ww1v1IcwaWClrvKTvYBl1gdALBa+tLuceqwF9g= =1KnA -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110510011249.GE2558>