Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)

Jason Hellenthal jhell at DataIX.net
Sun May 8 17:39:46 UTC 2011 

Chris,

On Sun, May 08, 2011 at 09:58:05AM +0100, Chris Rees wrote:
> On 8 May 2011 08:52, Jason Hellenthal <jhell at dataix.net> wrote:
> >
> > Edho,
> >
> > On Sun, May 08, 2011 at 09:15:28AM +0700, Edho P Arief wrote:
> >> On Sun, May 8, 2011 at 5:31 AM, Jamie Landeg Jones <jamie at bishopston.net> wrote:
> >> >> All the same, I've sent a PR [1] with some doc patches to make people
> >> >> more aware of this -- fulfilling my promise of 2+ years ago :S
> >> >>
> >> >> Thanks!
> >> >>
> >> >> Chris
> >> >>
> >> >> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853
> >> >
> >> > Um. Some problems here.
> >> >
> >> > A jail won't work for not-root users if the jail root directory is chmod 700 - although
> >> > there is obviously a 'chroot' running withing the jail, the jailed user still needs
> >> > to have read permission from the hosts / -- chmod 700 therefore locks all non-root
> >> > users out.
> >> >
> >>
> >> It's weird - I don't remember having such problem after setting jails'
> >> root directory permission to 700. I don't have the system anymore so I
> >> can't verify it just yet.
> >
> > It should also be noted here that the jailed root user also has permission
> > to chmod(1) '/' to anything he or she wants unless you have taken
> > precaution to not allow that. I would reccoment storing your jails two
> > levels deep into a directory and chmod(1) 700 the first level to prevent
> > access from the host and from the jailed root user changing the perms.
> >
> 
> Oops, you're absolutely right.
> 
> I've updated the docs patches (links at [1]), though unfortunately it
> means it's a little less elegant; I'm reluctant to suggest
> 
> # chmod 0700 $D/..
> 

Haha I would strongly suggest against that ;) Not knowing where people are 
keeping the jails would impose quite a bit of harm if they did have them 
in places like that or /var/jailname. Unfortunately in this case we can 
only update the docs and hope that the user will keep up-to-date with 
reading them.

Only other possibility I see is ensuring that noone inside the jail can 
chmod or do anyting on / but this may actually be quite tough.

> in case someone sets $D to /usr/local/myjail or similar...
> 
> Chris
> 
> [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/156853

-- 

 Regards, (jhell)
 Jason Hellenthal

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 522 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110508/c96c35bb/attachment.pgp

More information about the freebsd-security mailing list