Escaping from a jail with root privileges on the host
des at des.no
Wed Dec 28 23:29:12 UTC 2011
Stephen Montgomery-Smith <stephen at missouri.edu> writes:
> I agree with the poster that the jail didn't really escape, but was
> "sprung from the outside."
Easily prevented by making sure that every jail's root directory is
unreachable to unprivileged users. Say your jails are in /jail/foo,
/jail/bar and /jail/baz; if /jail is readable only by root (and perhaps
wheel), it won't be possible for anyone else to move a directory out of
> But more than that, I imagine it would be very hard to stop this
> without either completely rethinking how unix filesystems work, or
> adding significant overhead to the OS so that it checks every single
> "mv" command against all existing jails.
Not really. It is trivial to get a list of processes that have a given
vnode as their wd:
% fstat $PWD
USER CMD PID FD MOUNT INUM MODE SZ|DV R/W NAME
des fstat 80052 wd /home/des 3 drwxr-xr-x 398 r /home/des
des zsh 77329 wd /home/des 3 drwxr-xr-x 398 r /home/des
des zsh 26841 wd /home/des 3 drwxr-xr-x 398 r /home/des
des emacs 2577 wd /home/des 3 drwxr-xr-x 398 r /home/des
des zsh 2574 wd /home/des 3 drwxr-xr-x 398 r /home/des
So if any of these processes are jailed and the new location is outside
the jail root, the process should have its wd either forcibly changed
(e.g. to the jail root) or invalidated somehow.
The problem is that you not only have to check the directory you're
moving, but all its subdirectories as well. I can think of ways to
speed up the process; they require non-trivial changes to VFS, but not
"completely rethinking how unix filesystems work".
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security