From owner-svn-src-head@FreeBSD.ORG Sun May 8 12:16:39 2011 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F275106566C; Sun, 8 May 2011 12:16:39 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 82A288FC0A; Sun, 8 May 2011 12:16:39 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p48CGdem045578; Sun, 8 May 2011 12:16:39 GMT (envelope-from bcr@svn.freebsd.org) Received: (from bcr@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p48CGdw3045576; Sun, 8 May 2011 12:16:39 GMT (envelope-from bcr@svn.freebsd.org) Message-Id: <201105081216.p48CGdw3045576@svn.freebsd.org> From: Benedict Reuschling Date: Sun, 8 May 2011 12:16:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r221655 - head/usr.sbin/jail X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 12:16:39 -0000 Author: bcr (doc committer) Date: Sun May 8 12:16:39 2011 New Revision: 221655 URL: http://svn.freebsd.org/changeset/base/221655 Log: Jails have a problem in that if the jail directory is world-readable, an attacker with root access to the jail can create a setuid binary for their own use in the host environment (if they also have this access), thus breaking root in the host. This exploit is impossible if the jail's files are not world-readable. Add instructions to the man page on how to create a jail with the correct permissions set. PR: docs/156853 Submitted by: Chris Rees (utisoft at gmail dot com) Reviewed by: cperciva (security parts) MFC after: 9 days Modified: head/usr.sbin/jail/jail.8 Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Sun May 8 12:16:39 2011 (r221654) +++ head/usr.sbin/jail/jail.8 Sun May 8 12:16:39 2011 (r221655) @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 17, 2010 +.Dd May 8, 2011 .Dt JAIL 8 .Os .Sh NAME @@ -431,7 +431,7 @@ command script can be used: .Bd -literal D=/here/is/the/jail cd /usr/src -mkdir -p $D +mkdir -p -m 0700 $D make world DESTDIR=$D make distribution DESTDIR=$D mount -t devfs devfs $D/dev @@ -448,6 +448,10 @@ in the per-jail devfs. A simple devfs ruleset for jails is available as ruleset #4 in .Pa /etc/defaults/devfs.rules . .Pp +Non-superusers in the host system should not be able to access the +jail's files; otherwise an attacker with root access to the jail +could obtain elevated privileges on the host. +.Pp In many cases this example would put far more in the jail than needed. In the other extreme case a jail might contain only one file: the executable to be run in the jail.