Thoughts on jail privilege (FAQ submission)
Jon Passki
jon.passki at hursk.com
Thu Jan 15 11:00:43 PST 2009
On Thu, Jan 15, 2009 at 11:09 AM, Chris Rees <utisoft at googlemail.com> wrote:
> Hey all,
>
> I think that there should be a warning (on the jail man page or
> handbook page perhaps), on setuid in jails. Ex:
>
> John <-- user on the (host) server
>
> I give John root access to a jail (just for him to play with), and he
> then sets vi (for example) to setuid root. He then sshs into the host,
> and uses
>
> $ /usr/jail/johnsandbox/usr/bin/vi /usr/local/etc/sudoers
>
> He now has root!
>
> Am I completely thick not to have noticed this, or should there be a
> warning about people being allowed to have root in a jail where they
> have unprivileged access to the host? Or have I missed the point of a
> jail?
>
Nice catch! My SOP is to chmod 700 on the directory hosting the jails.
Your example is a file system issue that is shared between multiple levels
of trust for one user. FreeBSD jails do not offer protection on the file
system space outside of the jail. This should be documented as a gotcha,
though. Another thing to think about is user IDs. You could have a user ID
in your host of 1001. Your jail could have a completely different user
account, but collide on the user ID of 1001. Your host user ID 1001 will
have access to those jail user ID 1001 files, unless you restrict a parent
directory. That was the use case I came across and avoided.
Jon
More information about the freebsd-security
mailing list