Date: Thu, 6 Mar 2014 02:13:57 +0000 From: Tom Evans <tevans.uk@googlemail.com> To: Xin LI <d@delphij.net> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, Nicola Galante <galante@veritas.sao.arizona.edu> Subject: Re: misc/187307: Security vulnerability with FreeBSD Jail Message-ID: <CAFHbX1KrdEtmJn4ZAj1ER41a%2BYcyjAx_9fiDAySYK2YRN0xy_g@mail.gmail.com> In-Reply-To: <5317B597.5050900@delphij.net> References: <201403052307.s25N7NoD045308@cgiserv.freebsd.org> <5317B597.5050900@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 5, 2014 at 11:39 PM, Xin Li <delphij@delphij.net> wrote: > This is NOT a problem with jail. For starters, it's very bad idea to > give out host shell account, privileged or not, to jail users if they > are not trusted. Let's consider this scenario: > > jail$ su -l > jail# cp /usr/bin/less /bin/root_shell > jail# chown root:wheel /bin/root_shell > jail# chmod 6555 /bin/root_shell > jail# logout > jail$ logout > > Then, you basically have a setuid binary that can be reached from host > system. As an attacker I would do: > > host$ /path/to/jail/bin/root_shell > # > As a defender I would hope that someone has already done: host# chmod 700 /path/to You're right though, jail users have no business on the host. Cheers Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFHbX1KrdEtmJn4ZAj1ER41a%2BYcyjAx_9fiDAySYK2YRN0xy_g>