[Bug 288104] Cross-jail privilege spreading via SCM_RIGHTS.

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 288104] Cross-jail privilege spreading via SCM_RIGHTS."
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 08 Jul 2025 20:17:25 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288104

--- Comment #2 from crest@rlwinm.de ---
Also the usual defence of a directory with 0700 permissions as parent of the
jail root directory to prevent an unprivileged user from entering the jail file
system can't be used if jails are supposed to communicate via unix sockets
bound to shared directories.

Mounting the nullfs with nosetuid offers no protection because the passed
setuid binary can be from any filesystem the jail has write access to that
isn't mounted with nosetuid.

Checking the setuid bit when passing the file descriptor(s) is also not good
enough because the setuid flag could be added to the file after the descriptor
has been externalized.

-- 
You are receiving this mail because:
You are the assignee for the bug.