I just broke out of a FreeBSD jail.. Known bug??

Dr. Aharon Friedman a.friedman at trunutrition.com
Sat Dec 29 17:58:11 PST 2007 

It does not look like you broke it.  Moving directories between jails while
they are running is not part of the game as it breaks chroot.  You could
manipulate files between jails with the jails up by using networking, such
as ftp.

Obviously, one could program chroot to be able to "eat" this stuff, but it
will make the system cumbersome.  Remember, Jails are supposed to protect
against an outside attacker, not against the sys admin.

Aharon

-----Original Message-----
From: Johan Ström [mailto:johan at stromnet.se] 
Sent: Friday, December 28, 2007 7:16 AM
To: freebsd-stable at freebsd.org
Subject: I just broke out of a FreeBSD jail.. Known bug??

Hello list!

I'm running a FreeBSD 6.2-p8 box with a few jails. The other day a  
user of mine uploaded a number of files to one jail, then I (in the  
actual system outside of all jails) moved that directory to another  
jail.. When I later did some chdiring in the original jail, I found  
my self standing in my other jails pwd and beeing able to read/ 
manipulate files!..

Example:

jb-1 (the base machine, jailbox-1)
shell (jail 1)
core (jail 2)

shell /home/johan# pwd
/home/johan
shell /home/johan# ls
.cshrc          .irssi          .login_conf     .mailrc         .profile 
         .shrc           .zcompdump      public_html
.histfile       .login          .mail_aliases   .noident        .rhosts  
         .ssh            .zshrc
shell /home/johan# mkdir test
shell /home/johan# cd test
shell /home/johan/test# touch asd
shell /home/johan/test# ls -al
total 4
drwxr-xr-x  2 root   root   512 Dec 28 13:09 .
drwxr-x--x  6 johan  johan  512 Dec 28 13:09 ..
-rw-r--r--  1 root   root    0 Dec 28 13:09 asd
shell /home/johan/test#

Then moving it on the root box

jb-1 /usr/jails# mv shell/home/johan/test core/home/johan/
jb-1 /usr/jails#

And back on shell jail:

shell /home/johan/test# ls
asd
shell /home/johan/test# pwd
pwd: .: No such file or directory
shell /home/johan/test# cd ..
shell /home/johan# ls
.cshrc          .lesshst        .mailrc         .shrc           .vimrc   
         file.big        roundcube.sql   www.tar.gz
.histfile       .login          .mysql_history  .ssh            .zcompdu 
mp      pics            stuff
.history        .login_conf     .profile        .vim            .zshrc   
         postfix-2.4.5   test
.irssi          .mail_aliases   .rhosts         .viminfo         
cacert.pem      public_html     vmail.tar.gz
shell /home/johan#

Thats my home dir on core!.. That should very much not be visible  
there! I have full access now (from the wrong jail!)

Known bug or did I just stumble upon something pretty bad??

--
Johan Ström
Stromnet
johan at stromnet.se
http://www.stromnet.se/




No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.17.11/1201 - Release Date: 12/28/2007
11:51 AM

More information about the freebsd-stable mailing list