kern/143503: Security bug: jailed shell has access outside of
jailed directory
Aaron D. Gifford
astounding at gmail.com
Tue Feb 2 22:10:01 UTC 2010
>Number: 143503
>Category: kern
>Synopsis: Security bug: jailed shell has access outside of jailed directory
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Feb 02 22:10:00 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Aaron D. Gifford
>Release: 8.0-STABLE as of 27 Jan. 2010
>Organization:
>Environment:
FreeBSD mainhost.example.com 8.0-STABLE FreeBSD 8.0-STABLE #0: Wed Jan 27 19:46:39 MST 2010 root at mainhost.example.com:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
/data is a ZFS filesystem... (I don't know if that's relevant or not as I haven't tried this on an 8.0 system NOT running ZFS.)
/data/testjail is a jail in which several directories are nullfs mounted (see below output of "df"):
/data/basejail 482242304 130051840 352190464 27% /data/testjail/basejail
/usr/ports 352900096 709632 352190464 0% /data/testjail/usr/ports
/usr/src 353247232 1056768 352190464 0% /data/testjail/usr/src
/usr/obj 354452736 2262272 352190464 1% /data/testjail/usr/obj
devfs 2 2 0 100% /data/testjail/dev
THE PROBLEM:
If my current working directory is /data/foo/bar (outside of the jail path I will be using) an I create a NEW jail running bash with the following command, watch what happens:
root at mainhost:/data/foo/bar# jail /data/foo/bar jailhost.example.org 127.0.0.1 /usr/local/bin/bash
root at jailhost:/data/foo/bar# pwd
/data/foo/bar
root at jailhost:/data/foo/bar# ls -l /data/foo/bar
ls: /data/foo/bar: No such file or directory
root at jailhost:/data/foo/bar# ls -l
total 97
-rw-r--r-- 1 root wheel 5530 Jan 18 15:55 NOTES
-rwxr-xr-x 1 root wheel 4770 Feb 2 14:19 myscript1
-rw-r--r-- 1 root wheel 1861 Jan 27 22:25 configuration
-rwxr-xr-x 1 root wheel 7852 Feb 2 14:23 myscriptlib
-rwxr-xr-x 1 root wheel 5981 Jan 31 16:04 myscript2
-rwxr-xr-x 1 root wheel 4163 Feb 2 13:35 myscript3
-rwxr-xr-x 1 root wheel 2639 Jan 8 15:58 myscript4
-rwxr-xr-x 1 root wheel 911 Feb 2 13:37 myscript5
-rw-r--r-- 1 root wheel 3328 Jan 31 08:18 docs.txt
root at jailhost:/data/foo/bar# cd /data/foo/bar
bash: cd: /data/foo/bar: No such file or directory
root at jailhost:/data/foo/bar# cd /data/foo
bash: cd: /data/foo: No such file or directory
root at jailhost:/data/foo/bar# cd ..
root at jailhost:/data/foo# ls -l
total 7
drwxr-xr-x 2 root wheel 2 Feb 2 14:21 bar
drwxr-xr-x 2 root wheel 2 Feb 2 14:21 foo
-rw-r--r-- 1 root wheel 5058 Feb 2 14:22 testing.log
root at jailhost:/data/foo# # echo "IS this file writable or..." > testfile.txt
root at jailhost:/data/foo# ls -l testfile.txt
-rw-r--r-- 1 root wheel 28 Feb 2 14:42 testfile.txt
root at jailhost:/data/foo# cat testfile.txt
IS this file writable or...
root at jailhost:/data/foo# cat /data/foo/testfile.txt
cat: /data/foo/testfile.txt: No such file or directory
root at jailhost:/data/foo# cat ../../data/foo/testfile.txt
IS this file writable or...
root at jailhost:/data/foo# cd foo
root at jailhost:/data/foo/foo# ls -l
total 20
-r--r--r-- 1 root wheel 6196 Feb 2 14:49 COPYRIGHT
-rw-r--r-- 1 root wheel 821 Feb 2 14:49 bar.txt
drwxr-xr-x 13 root wheel 20 Jul 2 2009 data
root at jailhost:/data/foo/foo# cd ../..
root at jailhost:/data# ls -l
total 17
drwxr-xr-x 2 root wheel 9 Jan 31 18:25 conf
drwxr-xr-x 5 root wheel 5 Sep 11 2007 home
drwxrwxr-x 2 root 81 8 Mar 5 2007 logs
drwxrwxr-x 2 root 81 3 Mar 5 2007 phpinc
drwxrwxr-x 14 root 81 32 Jan 31 19:05 web
root at jailhost:/data#
PLEASE NOTE that there IS a /data directory within the jail: /data/foo/bar/data
It is THAT /data directory that the final "ls -l" above showed.
SUMMARY OF PROBLEM:
The jail command allows the jailed process (running as root within the jail) access to the current working directory (outside the jail) and can read from and write to it as long as all paths are relative to the working directory.
Entering an existing jail with 'jexec' does not exhibit this problem.
Is there ANY possible configuration where this is okay?
More info. about my system that might be relevant:
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.enforce_statfs: 2
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.jailed: 1
>How-To-Repeat:
See above...
>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list