Modified version of jexec allows non-root access into jails
wmoran at collaborativefusion.com
Fri Dec 29 06:11:49 PST 2006
In response to Colin Percival <cperciva at freebsd.org>:
> Bill Moran wrote:
> > http://people.collaborativefusion.com/~wmoran/code/jailme.html
> > Feedback is appreciated.
> Be very very careful. Both chroot(2) and jail(2) can only be called by
> root, and for very good reasons. Unprivileged users can create hardlinks
> to files which they don't own, including setuid root binaries; but these
> binaries will probably not operate correctly inside a jail of an attacker's
> construction (e.g., which contains a root password of "r00tmeplz"). The
> attacker can thus obtain jailed root privileges, create all the setuid
> root binaries he wants, and then run them from outside of the jail to
> obtain root privileges in the host machine.
Interesting. I hadn't considered that possibility.
> The fact that you're calling jail_attach(2) instead of jail(2) makes me
> slightly less worried, but you'd still have to work very hard to convince
> me that this should become part of the FreeBSD base system.
Well, my ultimate goal is to get it in _only_ if it makes sense as part
of the base system -- and I'm not even fully convinced of that yet.
The scenario you're describing (correct me if I misunderstand) would be a
user who has a normal account on the host system, but has root access inside
a pre-existing jail. Said user could create a setuid binary inside the
jail filesystem that would continue to be setuid in the host, and basically
leads to a privilege escalation. This is possible even without the addition
of the jailme program, however. Basically, any user who has root inside a
jail and a normal account on the host system can easily get root permissions
outside the jail. It's probably possible to prevent this by careful use
of nosetuid mounted filesystems within the jail.
You also describe a scenerio where a user can create a jail of his own
design and give himself root inside it, thus allowing him to use the
setuid trick to get root on the host as well. The place this falls down
is that the user would need to already have root to create the jail in the
I suppose I hadn't thought this through because our setup has users with
normal accounts both inside and outside the jail, and our ultimate goal
is to keep these users from ever having or needing root access in either
I'll wrap it up and submit it as a port. It seems like most of the current
jail utilities start out as ports anyway, so that seems to be a good path
to determine whether or not it's a proper fit for the base system. If not,
it can just stay a port for anyone who finds it useful.
Collaborative Fusion Inc.
More information about the freebsd-hackers