From owner-freebsd-hackers@FreeBSD.ORG  Fri Dec 29 13:41:42 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8C4C316A403
	for <freebsd-hackers@freebsd.org>; Fri, 29 Dec 2006 13:41:42 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: from pd2mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
	[24.71.223.10])
	by mx1.freebsd.org (Postfix) with ESMTP id 60B2113C46A
	for <freebsd-hackers@freebsd.org>; Fri, 29 Dec 2006 13:41:42 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: from pd2mr4so.prod.shaw.ca
	(pd2mr4so-qfe3.prod.shaw.ca [10.0.141.107]) by l-daemon
	(Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
	with ESMTP id <0JB100F2UCLJOOE0@l-daemon> for
	freebsd-hackers@freebsd.org; Fri, 29 Dec 2006 05:41:43 -0700 (MST)
Received: from pn2ml5so.prod.shaw.ca ([10.0.121.149])
	by pd2mr4so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05
	(built Sep
	5 2006)) with ESMTP id <0JB1005NOCLIHJR1@pd2mr4so.prod.shaw.ca> for
	freebsd-hackers@freebsd.org; Fri, 29 Dec 2006 05:41:43 -0700 (MST)
Received: from hexahedron.daemonology.net ([24.82.18.31])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004)) with SMTP id <0JB100CHGCLEON52@l-daemon> for
	freebsd-hackers@freebsd.org; Fri, 29 Dec 2006 05:41:39 -0700 (MST)
Received: (qmail 21231 invoked from network); Fri, 29 Dec 2006 12:41:33 +0000
Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1)
	by localhost with SMTP; Fri, 29 Dec 2006 12:41:33 +0000
Date: Fri, 29 Dec 2006 04:41:33 -0800
From: Colin Percival <cperciva@freebsd.org>
In-reply-to: <20061229120030.3DCE316A530@hub.freebsd.org>
To: freebsd-hackers@freebsd.org, Bill Moran <wmoran@collaborativefusion.com>
Message-id: <45950CFD.5020506@freebsd.org>
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7bit
X-Enigmail-Version: 0.94.0.0
References: <20061229120030.3DCE316A530@hub.freebsd.org>
User-Agent: Thunderbird 1.5.0.9 (X11/20061227)
Cc: 
Subject: Re: Modified version of jexec allows non-root access into jails
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Dec 2006 13:41:42 -0000

Bill Moran wrote:
> http://people.collaborativefusion.com/~wmoran/code/jailme.html
> 
> Feedback is appreciated.

Be very very careful.  Both chroot(2) and jail(2) can only be called by
root, and for very good reasons.  Unprivileged users can create hardlinks
to files which they don't own, including setuid root binaries; but these
binaries will probably not operate correctly inside a jail of an attacker's
construction (e.g., which contains a root password of "r00tmeplz").  The
attacker can thus obtain jailed root privileges, create all the setuid
root binaries he wants, and then run them from outside of the jail to
obtain root privileges in the host machine.

The fact that you're calling jail_attach(2) instead of jail(2) makes me
slightly less worried, but you'd still have to work very hard to convince
me that this should become part of the FreeBSD base system.

Colin Percival