ports/156853: Update docs: jail(8) security issues with world-readable jail root

[Chris Rees]

>Number:         156853
>Category:       ports
>Synopsis:       Update docs: jail(8) security issues with world-readable jail root
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 06 20:50:13 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Chris Rees
>Release:        
>Organization:
>Environment:
>Description:
I brought this problem up on freebsd-security two years ago [1], and promptly forgot about it, but then another person [2] has brought it up again...

Jails have a problem in that if the jail directory is world-readable, an attacker with root access to the jail can create a setuid binary for their own use in the host environment (if they also have this access), thus breaking root in the host.


[1] http://freebsd.1045724.n5.nabble.com/Thoughts-on-jail-privilege-FAQ-submission-td4219099.html

[2] http://lists.freebsd.org/pipermail/freebsd-security/2011-May/005886.html
>How-To-Repeat:
Follow instructions in the Handbook or jail(8) manpage, create a setuid binary inside the jail as root, and run it as unprivileged user in the host.
>Fix:
No fix, but precautions can be taken; this exploit is impossible if the jail's files are not world-readable.

Docs patches for the Handbook [3] and for the jail(8) manpage [4] are provided.

- Advise 0700 permissions for jail root directory to stop various exploits

Patch submitted by: Chris Rees (utisoft at gmail.com)

Discovered by: Chris Rees (utisoft at gmail.com) and Pétur Ingi Egilsson (petur at petur.eu)

[3] http://www.bayofrum.net/~crees/patches/jail-secure-handbook.diff

[4] http://www.bayofrum.net/~crees/patches/jail-secure-manpage.diff

>Release-Note:
>Audit-Trail:
>Unformatted: