kern/143503: Security bug: jailed shell has access outside of jailed directory

Aaron D. Gifford astounding at gmail.com
Tue Feb 2 22:10:01 UTC 2010 

>Number:         143503
>Category:       kern
>Synopsis:       Security bug: jailed shell has access outside of jailed directory
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 02 22:10:00 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Aaron D. Gifford
>Release:        8.0-STABLE as of 27 Jan. 2010
>Organization:
>Environment:
FreeBSD mainhost.example.com 8.0-STABLE FreeBSD 8.0-STABLE #0: Wed Jan 27 19:46:39 MST 2010     root at mainhost.example.com:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
/data is a ZFS filesystem... (I don't know if that's relevant or not as I haven't tried this on an 8.0 system NOT running ZFS.)

/data/testjail is a jail in which several directories are nullfs mounted (see below output of "df"):

/data/basejail                       482242304  130051840 352190464    27%    /data/testjail/basejail
/usr/ports                                           352900096     709632 352190464     0%    /data/testjail/usr/ports
/usr/src                                             353247232    1056768 352190464     0%    /data/testjail/usr/src
/usr/obj                                             354452736    2262272 352190464     1%    /data/testjail/usr/obj
devfs                                                        2          2         0   100%    /data/testjail/dev



THE PROBLEM:

If my current working directory is /data/foo/bar (outside of the jail path I will be using) an I create a NEW jail running bash with the following command, watch what happens:

root at mainhost:/data/foo/bar# jail /data/foo/bar jailhost.example.org 127.0.0.1 /usr/local/bin/bash
root at jailhost:/data/foo/bar# pwd
/data/foo/bar
root at jailhost:/data/foo/bar# ls -l /data/foo/bar
ls: /data/foo/bar: No such file or directory
root at jailhost:/data/foo/bar# ls -l
total 97
-rw-r--r--  1 root  wheel  5530 Jan 18 15:55 NOTES
-rwxr-xr-x  1 root  wheel  4770 Feb  2 14:19 myscript1
-rw-r--r--  1 root  wheel  1861 Jan 27 22:25 configuration
-rwxr-xr-x  1 root  wheel  7852 Feb  2 14:23 myscriptlib
-rwxr-xr-x  1 root  wheel  5981 Jan 31 16:04 myscript2
-rwxr-xr-x  1 root  wheel  4163 Feb  2 13:35 myscript3
-rwxr-xr-x  1 root  wheel  2639 Jan  8 15:58 myscript4
-rwxr-xr-x  1 root  wheel   911 Feb  2 13:37 myscript5
-rw-r--r--  1 root  wheel  3328 Jan 31 08:18 docs.txt
root at jailhost:/data/foo/bar# cd /data/foo/bar
bash: cd: /data/foo/bar: No such file or directory
root at jailhost:/data/foo/bar# cd /data/foo
bash: cd: /data/foo: No such file or directory
root at jailhost:/data/foo/bar# cd ..
root at jailhost:/data/foo# ls -l
total 7
drwxr-xr-x  2 root  wheel     2 Feb  2 14:21 bar
drwxr-xr-x  2 root  wheel     2 Feb  2 14:21 foo
-rw-r--r--  1 root  wheel  5058 Feb  2 14:22 testing.log
root at jailhost:/data/foo# # echo "IS this file writable or..." > testfile.txt
root at jailhost:/data/foo# ls -l testfile.txt
-rw-r--r--  1 root  wheel  28 Feb  2 14:42 testfile.txt
root at jailhost:/data/foo# cat testfile.txt
IS this file writable or...
root at jailhost:/data/foo# cat /data/foo/testfile.txt
cat: /data/foo/testfile.txt: No such file or directory
root at jailhost:/data/foo# cat ../../data/foo/testfile.txt
IS this file writable or...
root at jailhost:/data/foo# cd foo
root at jailhost:/data/foo/foo# ls -l
total 20
-r--r--r--   1 root  wheel  6196 Feb  2 14:49 COPYRIGHT
-rw-r--r--   1 root  wheel   821 Feb  2 14:49 bar.txt
drwxr-xr-x  13 root  wheel    20 Jul  2  2009 data
root at jailhost:/data/foo/foo# cd ../..
root at jailhost:/data# ls -l
total 17
drwxr-xr-x   2 root  wheel   9 Jan 31 18:25 conf
drwxr-xr-x   5 root  wheel   5 Sep 11  2007 home
drwxrwxr-x   2 root  81      8 Mar  5  2007 logs
drwxrwxr-x   2 root  81      3 Mar  5  2007 phpinc
drwxrwxr-x  14 root  81     32 Jan 31 19:05 web
root at jailhost:/data# 


PLEASE NOTE that there IS a /data directory within the jail: /data/foo/bar/data
It is THAT /data directory that the final "ls -l" above showed.



SUMMARY OF PROBLEM:
The jail command allows the jailed process (running as root within the jail) access to the current working directory (outside the jail) and can read from and write to it as long as all paths are relative to the working directory.

Entering an existing jail with 'jexec' does not exhibit this problem.



Is there ANY possible configuration where this is okay?


More info. about my system that might be relevant:

security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.enforce_statfs: 2
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.jailed: 1


>How-To-Repeat:
See above...
>Fix:
Unknown.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list