freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped completely
James Gritton
jamie at freebsd.org
Sat Dec 13 20:05:08 UTC 2014
On 2014-12-06 18:34, no at spam@mgEDV.net wrote:
> hi guys,
>
> as the "real" application faces the same problems, i created a test
> jail on a clean box just to check the behaviour using "/usr/bin/id".
>
> problem description (hopefully i nailed it):
> if a jailed process needs any .so for startup, the path to those *.so
> needs to be world r-x, although the GID of the jail execute user
> is allowed to r/x the dirs, where the *.so files are to be found.
> there could be (ordering) errors with SET(e)GID in jail_* functions,
> because it works as expected when prefixing with "chroot -g test /".
> the EGID is dropped to the jail user's gid, but the GID is still 0!
> we end up with a jailed proc (UID=999, GID=0), which of course is
> not allowed to access the dirs for the *.so's to be loaded by exec.
> [see end of message for setup details]
There does indeed seem to be a missing setgid() in jail (compared to
jexec, which gets it right). Could you please file a big report on
this? Then I'll get it fixed up.
- Jamie
More information about the freebsd-questions
mailing list