Modified version of jexec allows non-root access into jails
cperciva at freebsd.org
Fri Dec 29 05:41:42 PST 2006
Bill Moran wrote:
> Feedback is appreciated.
Be very very careful. Both chroot(2) and jail(2) can only be called by
root, and for very good reasons. Unprivileged users can create hardlinks
to files which they don't own, including setuid root binaries; but these
binaries will probably not operate correctly inside a jail of an attacker's
construction (e.g., which contains a root password of "r00tmeplz"). The
attacker can thus obtain jailed root privileges, create all the setuid
root binaries he wants, and then run them from outside of the jail to
obtain root privileges in the host machine.
The fact that you're calling jail_attach(2) instead of jail(2) makes me
slightly less worried, but you'd still have to work very hard to convince
me that this should become part of the FreeBSD base system.
More information about the freebsd-hackers