kern/145444: sysinstall and sade can access host's disks from
within a jail
Dan Naumov
dan.naumov at gmail.com
Tue Apr 6 22:40:02 UTC 2010
>Number: 145444
>Category: kern
>Synopsis: sysinstall and sade can access host's disks from within a jail
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 06 22:40:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Dan Naumov
>Release: 8.0
>Organization:
>Environment:
FreeBSD atombsd.localdomain 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Tue Jan 5 21:11:58 UTC 2010 root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
If you run "sade" or "sysinstall" within a jail, you can see the host system's disks from within the jail, giving a malicious superuser within the jail the capability to inspect the disk and partition layout of the host.
Actual destructive actions to the hosts disk from within such an instance of "sade" / "sysinstall" do not seem possible (attempting to write out changes returns an error), but nevertheless such peeking capability is still troubling.
It is my understanding that this is not intended behaviour.
>How-To-Repeat:
1) Install FreeBSD 8.0
2) Create and install a jail
3) Start the jail
4) Log into the jail as a user with root priviledges (locally via host's console or remotely, connecting to an sshd running within the jail)
5) Run "sade" or "sysinstall)
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list