Escaping from a jail with root privileges on the host

Marin Atanasov Nikolov dnaeon at
Wed Dec 28 22:42:10 UTC 2011

On Wed, Dec 28, 2011 at 10:39 PM, Benjamin Kaduk <kaduk at> wrote:
> [minus -stable]
> On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote:
>> Hello,
>> Today I've managed to escape from a jail by accident and ended up with
>> root access to the host's filesystem.
>> Here's what I did:
>> * Using ezjail for managing my jails
>> * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
>> * This works only when I use sudo, and cannot reproduce if I execute
>> everything as root
> I cannot see how the use of sudo would be relevant -- the fundametal issue
> merely requires the vnode of the directory in question to be moved (not
> copied) past the jail's root vnode.  Could you give a bit more detail about
> how you came to believe that sudo is necessary?

Hi everyone,

Thanks for the feedback.


I was able only to reproduce this using sudo(8) when doing "mv
<jail-folder> ." (See first mail for exact steps)

Important notes:

 * The directory to mv is "." (cwd) - mv'ing to anything else than "."
does not harm
 * Doing the "mv <jail-folder> ." as root user (without sudo(8) !)
does not result in jail getting access to the host's fs

That is why I've mentioned that I'm not sure whether this is sudo(8)
related or ezjail, or just jail.. I can only reproduce it using sudo
for moving the folder...

Hope that clears a bit things :)


> -Ben Kaduk

Marin Atanasov Nikolov

dnaeon AT gmail DOT com
daemon AT unix-heaven DOT org

More information about the freebsd-security mailing list