misc/132092: jail can listen on *:port when jail_socket_unixiproute_only set to NO

Aleksandr Stankevic alex at braske.net
Wed Feb 25 01:10:05 PST 2009 

>Number:         132092
>Category:       misc
>Synopsis:       jail can listen on *:port when jail_socket_unixiproute_only set to NO
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 25 09:10:04 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Aleksandr Stankevic
>Release:        
>Organization:
>Environment:
FreeBSD alex.viko.lt 7.1-RELEASE-p3 FreeBSD 7.1-RELEASE-p3 #0: Tue Feb 24 22:53:54 EET 2009     alex at alex.viko.lt:/usr/src/sys/i386/compile/GENERIC  i386

>Description:
I've noticed that apache in jail is listening on *:80.
After debugging for some time, i found out it's because of jail_socket_unixiproute_only set to NO.

The problem is, that it is really listening on *:80, and not on the ip the jail was given.
I.e. 

Host system ip: 111.111.128.50
Jail system ip: 111.111.128.51

Host system only has sshd runing, no other network services.
Jail system has apache installed. Apache is listening on *:80
By telneting to 111.111.128.50:80 (the host ip) i will connect to the jail system.
It's kind of jail escape IMHO.

Other jails, which don't have anything listening on port 80, can be connected to via port 80. But the destination server will be the jail which listens on *:80.

>How-To-Repeat:
Set jail_socket_unixiproute_only=NO in rc.conf, start a jail, and create a socket listening on *:port
Can't reproduce with software like netcat, but software like apache/jabberd can listen on *:port.

>Fix:
I don't know if that's a wanted behavior.
I can see two solutions:
1. if it should work that way, then add a note/warning to the docs so users know that by setting jail_socket_unixiproute_only to NO will lower the security of the jail by letting it bind to wildcard IP.
2. if it shouldn't work that way - then fix it so it can't listen on wildcard ip, and that way fix the jail/privilege escape

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list