From owner-freebsd-questions@FreeBSD.ORG  Sun Dec  7 02:03:32 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8A752BF5
 for <freebsd-questions@freebsd.org>; Sun,  7 Dec 2014 02:03:32 +0000 (UTC)
Received: from mail.mgedv.net (mail.mgedv.net [83.64.34.254])
 by mx1.freebsd.org (Postfix) with ESMTP id 26155E01
 for <freebsd-questions@freebsd.org>; Sun,  7 Dec 2014 02:03:29 +0000 (UTC)
Received: from my.loop (client.my.loop [255.255.255.255])
From: "no@spam@mgEDV.net" <nospam@mgedv.net>
To: <freebsd-questions@freebsd.org>
Subject: freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped
 completely
Date: Sun, 7 Dec 2014 02:34:04 +0100
Message-ID: <042a01d011bd$e4cb1530$ae613f90$@mgedv.net>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdARvRoyhhoN78+nRXOFgSXhOGFpug==
Content-Language: de-at
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Dec 2014 02:03:32 -0000

hi guys,
 
as the "real" application faces the same problems, i created a test
jail on a clean box just to check the behaviour using "/usr/bin/id".
 
problem description (hopefully i nailed it):
if a jailed process needs any .so for startup, the path to those *.so
needs to be world r-x, although the GID of the jail execute user
is allowed to r/x the dirs, where the *.so files are to be found.
there could be (ordering) errors with SET(e)GID in jail_* functions,
because it works as expected when prefixing with "chroot -g test /".
the EGID is dropped to the jail user's gid, but the GID is still 0!
we end up with a jailed proc (UID=999, GID=0), which of course is
not allowed to access the dirs for the *.so's to be loaded by exec.
[see end of message for setup details]
 
=== the symptom ===
/jail# /jail/a.sh
Shared object "libbsm.so.3" not found, required by "id"
jail: /bin/id: failed
 
=== details from truss ===
  619: access("/lib/libbsm.so.3",0)              ERR#13 'Permission denied'
  619: access("/usr/lib/libbsm.so.3",0)          ERR#13 'Permission denied'
 
=== some UID/GID details from kdump ===
/jail# grep -i '[g|s]et.*id' jail.kdump
64746 100091 jail     CALL  issetugid
64746 100091 jail     RET   issetugid 0
64746 100091 jail     CALL  issetugid
64746 100091 jail     RET   issetugid 0
64747 100093 jail     CALL  geteuid
64747 100093 jail     RET   geteuid 0
64747 100093 jail     CALL  setuid(0x3e7)
64747 100093 jail     RET   setuid 0
64747 100093 jail     CALL  getuid
64747 100093 jail     RET   getuid 999/0x3e7
64747 100093 jail     CALL  geteuid
64747 100093 jail     RET   geteuid 999/0x3e7
64747 100093 jail     CALL  getegid
64747 100093 jail     RET   getegid 999/0x3e7
64747 100093 jail     CALL  setegid(0x3e7)
64747 100093 jail     RET   setegid -1 errno 1 Operation not permitted
64747 100093 jail     CALL  seteuid(0x3e7)
64747 100093 jail     RET   seteuid 0
64747 100093 jail     CALL  seteuid(0x3e7)
64747 100093 jail     RET   seteuid 0
64747 100093 jail     CALL  setegid(0x3e7)
64747 100093 jail     RET   setegid -1 errno 1 Operation not permitted
64747 100093 id       CALL  issetugid
64747 100093 id       RET   issetugid 1
 
=== proof 1: chroot fixes the jail .so load problem ===
# outside the jail - just to know what's changing:
/jail# chroot -g test / id
uid=0(root) gid=0(wheel) egid=999(test) groups=999(test),5(operator)
# inside the jail - this is our "fix":
/jail# chroot -g test / /jail/a.sh
uid=999 gid=999(test) groups=999(test)
 
=== proof 2: chmod fixes *.so load, but GID=0 here! ===
if i chmod the jail homedir and jail's lib dir, it works:
/jail# chmod a+rx /jail /jail/lib
/jail# ./a.sh
uid=999 gid=0(wheel) egid=999(test) groups=999(test)
 
user and group names are read fine from the jailed "id",
although the file perms are as listed beyond.
 
is this a bug or am i missing something?
any help/info/enlightenment appreciated ;-)
[just reply to the list, i'm on it]
 
 
==== CONFIG (tested 3 different times with GENERIC and a CUSTOM kernel):
LiveCD install source: FreeBSD-10.1-RELEASE-amd64-disc1.iso
sha256: 0c3d64ce48c3ef761761d0fea07e1935e296f8c045c249118bc91a7faf053a6b
fresh install on 2 different ESXi 5.5 hosts and a 3rd physical PC.
only base.tgz+kernel.tgz or liveCD, tried on UFS2 (gpt) and tmpfs.
i used the www user and tmpfs on the liveCD, but everything else was the
same.
 
=== the test user ===
/jail# id -P test
test:*:999:999::0:0:User &:/home/test:/bin/sh
 
=== the jail (before the mentioned chmod) ===
/jail# ls -Ralo
total 68
dr-xr-xr-x   6 root  test   -   512 Dec  7 01:02 .
drwxr-xr-x  19 root  wheel  -   512 Dec  7 00:06 ..
-rwx------   1 root  test   -   773 Dec  7 01:00 a.sh
dr-xr-x---   2 root  test   -   512 Dec  6 23:58 bin
drwxr-x---   2 root  test   -   512 Dec  7 01:01 etc
-rw-r-----   1 root  test   - 37157 Dec  7 01:02 jail.truss
dr-xr-xr-x   2 root  test   -   512 Dec  6 23:59 lib
dr-xr-x---   2 root  test   -   512 Dec  7 00:00 libexec
 
./bin:
total 24
dr-xr-x---  2 root  test  -   512 Dec  6 23:58 .
dr-xr-xr-x  6 root  test  -   512 Dec  7 01:02 ..
-r-xr-x---  1 root  test  - 12432 Nov 11 22:03 id
 
./etc:
total 60
drwxr-x---  2 root  test  -   512 Dec  7 01:01 .
dr-xr-xr-x  6 root  test  -   512 Dec  7 01:02 ..
-rw-r-----  1 root  test  -   473 Dec  7 00:04 group
-rw-r-----  1 root  test  -   321 Dec  7 01:01 nsswitch.conf
-rw-r-----  1 root  test  -  1570 Dec  7 00:27 passwd
-rw-------  1 root  test  - 40960 Dec  7 00:27 spwd.db
 
./lib:
total 1744
dr-xr-xr-x  2 root  test  -     512 Dec  6 23:59 .
dr-xr-xr-x  6 root  test  -     512 Dec  7 01:02 ..
-r--r-----  1 root  test  -  106264 Nov 11 22:03 libbsm.so.3
-r--r-----  1 root  test  - 1631216 Nov 11 22:03 libc.so.7
 
./libexec:
total 124
dr-xr-x---  2 root  test  -    512 Dec  7 00:00 .
dr-xr-xr-x  6 root  test  -    512 Dec  7 01:02 ..
-r-xr-x---  1 root  test  - 118520 Nov 11 22:03 ld-elf.so.1
 
 
=== the start command ====
/jail# cat a.sh
 
umask 027;
rm -f /jail/jail.truss /jail/jail.kdump /jail/jail.ktrace
 
#/usr/bin/truss -f -e -a -o /jail/jail.truss -s 1000    \
ktrace -d -f /jail/jail.ktrace -i -t cinpstuy   \
jail -c jid=1                   \
name=test                \
path=/jail               \
ip4.addr=1.1.1.1                \
host.hostuuid=c91e438a-1a44-4b7e-8732-0441ca9e2b97      \
host.hostid=6146666201             \
allow.sysvipc=0                 \
allow.raw_sockets=0                \
exec.jail_user=test                \
exec.system_user=test              \
exec.system_jail_user=true              \
host.hostname=test                 \
host.domainname=test.me                \
allow.set_hostname=0               \
allow.chflags=0                 \
allow.mount=0                   \
allow.quotas=0                  \
allow.socket_af=0                  \
enforce_statfs=2                \
ip4=new                 \
ip6=disable              \
command=/bin/id                 \
 
kdump -H -f /jail/jail.ktrace >/jail/jail.kdump
 
===  EOM ===