Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)
Chris Rees
utisoft at gmail.com
Sun May 8 08:58:36 UTC 2011
On 8 May 2011 08:52, Jason Hellenthal <jhell at dataix.net> wrote:
>
> Edho,
>
> On Sun, May 08, 2011 at 09:15:28AM +0700, Edho P Arief wrote:
>> On Sun, May 8, 2011 at 5:31 AM, Jamie Landeg Jones <jamie at bishopston.net> wrote:
>> >> All the same, I've sent a PR [1] with some doc patches to make people
>> >> more aware of this -- fulfilling my promise of 2+ years ago :S
>> >>
>> >> Thanks!
>> >>
>> >> Chris
>> >>
>> >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853
>> >
>> > Um. Some problems here.
>> >
>> > A jail won't work for not-root users if the jail root directory is chmod 700 - although
>> > there is obviously a 'chroot' running withing the jail, the jailed user still needs
>> > to have read permission from the hosts / -- chmod 700 therefore locks all non-root
>> > users out.
>> >
>>
>> It's weird - I don't remember having such problem after setting jails'
>> root directory permission to 700. I don't have the system anymore so I
>> can't verify it just yet.
>
> It should also be noted here that the jailed root user also has permission
> to chmod(1) '/' to anything he or she wants unless you have taken
> precaution to not allow that. I would reccoment storing your jails two
> levels deep into a directory and chmod(1) 700 the first level to prevent
> access from the host and from the jailed root user changing the perms.
>
Oops, you're absolutely right.
I've updated the docs patches (links at [1]), though unfortunately it
means it's a little less elegant; I'm reluctant to suggest
# chmod 0700 $D/..
in case someone sets $D to /usr/local/myjail or similar...
Chris
[1] http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/156853
More information about the freebsd-security
mailing list