jail file and directory permissions

Erich Jenkins, Fuujin Group Ltd erich at fuujingroup.com
Mon Apr 12 22:14:27 UTC 2010 

Greg Larkin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Erich Jenkins, Fuujin Group Ltd wrote:
>> Kalle Møller wrote:
>> <snip>
>>> Could you please make a command list on what your doing and with
>>> output.. like this ...
>>>
>>> -- 
>>>
>>> Med Venlig Hilsen
>>>
>>> Kalle R. Møller
>> </snip>
>>
>> Here's what I'm seeing:
>>
>> jail0495> pwd
>> /usr/home/testuser
>> jail0495> ll
>> -rw-------   1 testuser rmtuser   1957 Apr 12 02:22 .history
>> drwxr--r--   2 root     wheel     1024 Apr 12 02:22 testdir
>> jail0495> users
>> testuser
>> jail0495> cd testdir
>> jail0495> ll
>> -rw-r--r--   2 root     wheel     4096 Apr 12 02:24 textfile.txt
>> jail0495> rm textfile.txt
>> override rw-r--r--  root/wheel for textfile.txt ? y
>> jail0495> ll
>> total 0
>> jail0495>
>>
>> As you can see, this is of great concern.
>>
> 
> Hi Erich,
> 
> I use jails extensively on my company systems here, so I am interested
> in this problem.  I set up a test environment that I believe mirrors yours:
> 
> jail54# pwd
> /usr/home/glarkin
> jail54# ls -al testdir
> total 6
> drwxr--r--  2 root     wheel    512 Apr 12 08:52 .
> drwxr-xr-x  5 glarkin  glarkin  512 Apr 12 08:52 ..
> - -rw-r--r--  1 root     wheel      7 Apr 12 08:52 foo.txt
> jail54# # exit
> [glarkin at jail54 ~]$ cd testdir
> - -bash: cd: testdir: Permission denied
> [glarkin at jail54 ~]$ rm testdir/foo.txt
> rm: testdir/foo.txt: Permission denied
> [glarkin at jail54 ~]$ rm -rf testdir
> rm: testdir/foo.txt: Permission denied
> rm: testdir: Directory not empty
> 
> My situation is slightly different than yours, since my jails are based
> on FreeBSD 6.4, instead of 7.x.
> 
> As a first step to troubleshooting, please log in to your jail as your
> non-privileged user, run the following commands from its home directory,
> then post the permtest1.log and permtest2.log files somewhere that we
> can review them:
> 
> truss -f -a -s 256 -o permtest1.log cd testdir
> 
> truss -f -a -s 256 -o permtest2.log rm testdir/textfile.txt
> 
> Also run the "df" and "mount" commands from the user's home directory
> inside the jail as well as from the same directory but outside of the
> jail context.  Please post the output of those commands somewhere as well.
> 
> Thank you,
> Greg
> - --
> Greg Larkin
> 
> http://www.FreeBSD.org/           - The Power To Serve
> http://www.sourcehosting.net/     - Ready. Set. Code.
> http://twitter.com/sourcehosting/ - Follow me, follow you
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iD8DBQFLwxsx0sRouByUApARAtTPAJ9sacXc0MdWT9CwYUXTBu7i+Ks+qwCePUN4
> D5EwzGjeAaCCdMMtsbr0G60=
> =YPlm
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> freebsd-bugs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
> To unsubscribe, send any mail to "freebsd-bugs-unsubscribe at freebsd.org"

Greg:

Interestingly enough, this is what I get when running truss:

truss: cannot open /proc/curproc/mem: No such file or directory
truss: cannot open1 /proc/13713/mem: No such file or directory

However, Ian made a suggestion that completely eluded me: simply look at 
the effective user and group info via id -p (which I should have done 
prior to posting in the first place, my apologies). The output was:

jail0495> id -p
login   testuser
uid     root
groups  wheel  rmtuser

However,

jail0495> users
testuser

So apparently, this install thinks the user has root privileges. Here's 
where it gets strange. I rebooted the box (this is in a lab), and logged 
back in as the user, but did not su to root. I did a few things that 
seem easy to follow from the command line, but please ask if anything is 
unclear:

jail0495> id -p
uid     testuser
groups  rmtuser
jail0495> pwd
/usr/home/testuser
jail0495> ll
-rw-------   1 testuser rmtuser   1957 Apr 12 02:22 .history
drwxr-xr-x   2 root     wheel     1024 Apr 12 02:22 testdir

(this is a login with a user in the wheel group from another session)
jail0495> su root
Password:
jail0495# cd testdir
jail0495# ll
total 0
jail0495# dd if=/dev/random of=testfile bs=10k count=1
1+0 records in
1+0 records out
10240 bytes transferred in 0.000632 secs (16207424 bytes/sec)
jail0495# ll
-rw-r--r--   1 root     wheel    10240 Apr 12 15:18 testfile
jail0495# exit
exit
jail0495> exit
(this is the end of that session)

(back to the first session with the unprivileged user)
jail0495> id -p
login   testuser
uid     root
groups  wheel  rmtuser
jail0495> users
testuser
jail0495>

To be honest, my first thought was "What the hell is this!?!" So, I 
rebooted the box again after remembering something about user privilege 
escalation in an older release of NetBSD I had seen some years ago. 
(since we're talking jails, this problem is FreeBSD related, just to be 
clear)

Now I get this after a fresh reboot:

login as: testuser
Using keyboard-interactive authentication.
Password:
Last login: Mon Apr 12 14:46:26 2010 from [ redacted ]
<snip>

jail0495> users
testuser
jail0495> pwd
/usr/home/testuser
jail0495> ll
-rw-------   1 testuser rmtuser   1957 Apr 12 02:22 .history
drwxr-xr-x   2 root     wheel     1024 Apr 12 02:22 testdir
jail0495> cd testdir
jail0495> ll
-rw-r--r--   1 root     wheel    10240 Apr 12 15:18 testfile
jail0495> rm testfile
override rw-r--r--  root/wheel for testfile ? y
rm: testfile: Permission denied
jail0495>

But watch this after an su from another session:

(testuser is NOT a member of the wheel group!! and this is not the su 
session, but the first login session)
jail0495> id -p
login   testuser
uid     root
groups  wheel  rmtuser
jail0495> users
testuser
jail0495> rm testfile
override rw-r--r--  root/wheel for testfile ? y
jail0495> ll
total 0
jail0495>

It gets worse. I added another user not in the wheel group, and created 
another group for this new user. Then I logged in as this user, and as 
the other test user from another session. It appears that once there has 
been an SU to root, ALL users have root permissions regardless of their 
group membership or login privileges.

Since this was a buildworld copied via NFS from a build environment, it 
appears that something has gone terribly wrong during the build. I'm 
going to wipe this machine and do a completely fresh install of 7.0-REL, 
buildworld, and set up a jail to see if something did indeed break, or 
if this is an actual bug.

Thank you very much to everyone who's responded to this issue. Your 
input has been instrumental in helping troubleshoot this. I'll post as 
soon as the build completes and I have a chance to test this tonight.

Erich M. Jenkins
Fuujin Group Limited

"You should never, never doubt what no one is sure about."
-- Gene Wilder

More information about the freebsd-bugs mailing list