I just broke out of a FreeBSD jail.. Known bug??
Johan Ström
johan at stromnet.se
Fri Dec 28 04:33:07 PST 2007
Hello list!
I'm running a FreeBSD 6.2-p8 box with a few jails. The other day a
user of mine uploaded a number of files to one jail, then I (in the
actual system outside of all jails) moved that directory to another
jail.. When I later did some chdiring in the original jail, I found
my self standing in my other jails pwd and beeing able to read/
manipulate files!..
Example:
jb-1 (the base machine, jailbox-1)
shell (jail 1)
core (jail 2)
shell /home/johan# pwd
/home/johan
shell /home/johan# ls
.cshrc .irssi .login_conf .mailrc .profile
.shrc .zcompdump public_html
.histfile .login .mail_aliases .noident .rhosts
.ssh .zshrc
shell /home/johan# mkdir test
shell /home/johan# cd test
shell /home/johan/test# touch asd
shell /home/johan/test# ls -al
total 4
drwxr-xr-x 2 root root 512 Dec 28 13:09 .
drwxr-x--x 6 johan johan 512 Dec 28 13:09 ..
-rw-r--r-- 1 root root 0 Dec 28 13:09 asd
shell /home/johan/test#
Then moving it on the root box
jb-1 /usr/jails# mv shell/home/johan/test core/home/johan/
jb-1 /usr/jails#
And back on shell jail:
shell /home/johan/test# ls
asd
shell /home/johan/test# pwd
pwd: .: No such file or directory
shell /home/johan/test# cd ..
shell /home/johan# ls
.cshrc .lesshst .mailrc .shrc .vimrc
file.big roundcube.sql www.tar.gz
.histfile .login .mysql_history .ssh .zcompdu
mp pics stuff
.history .login_conf .profile .vim .zshrc
postfix-2.4.5 test
.irssi .mail_aliases .rhosts .viminfo
cacert.pem public_html vmail.tar.gz
shell /home/johan#
Thats my home dir on core!.. That should very much not be visible
there! I have full access now (from the wrong jail!)
Known bug or did I just stumble upon something pretty bad??
--
Johan Ström
Stromnet
johan at stromnet.se
http://www.stromnet.se/
More information about the freebsd-stable
mailing list