Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 Dec 2007 13:15:38 +0100
From:      =?ISO-8859-1?Q?Johan_Str=F6m?= <johan@stromnet.se>
To:        freebsd-stable@freebsd.org
Subject:   I just broke out of a FreeBSD jail.. Known bug??
Message-ID:  <91064C44-1A41-4FCB-A718-1EF3A63E2273@stromnet.se>
next in thread | raw e-mail | index | archive | help 
Hello list!

I'm running a FreeBSD 6.2-p8 box with a few jails. The other day a =20
user of mine uploaded a number of files to one jail, then I (in the =20
actual system outside of all jails) moved that directory to another =20
jail.. When I later did some chdiring in the original jail, I found =20
my self standing in my other jails pwd and beeing able to read/=20
manipulate files!..

Example:

jb-1 (the base machine, jailbox-1)
shell (jail 1)
core (jail 2)

shell /home/johan# pwd
/home/johan
shell /home/johan# ls
.cshrc          .irssi          .login_conf     .mailrc         .profile=20=

         .shrc           .zcompdump      public_html
.histfile       .login          .mail_aliases   .noident        .rhosts =20=

         .ssh            .zshrc
shell /home/johan# mkdir test
shell /home/johan# cd test
shell /home/johan/test# touch asd
shell /home/johan/test# ls -al
total 4
drwxr-xr-x  2 root   root   512 Dec 28 13:09 .
drwxr-x--x  6 johan  johan  512 Dec 28 13:09 ..
-rw-r--r--  1 root   root    0 Dec 28 13:09 asd
shell /home/johan/test#

Then moving it on the root box

jb-1 /usr/jails# mv shell/home/johan/test core/home/johan/
jb-1 /usr/jails#

And back on shell jail:

shell /home/johan/test# ls
asd
shell /home/johan/test# pwd
pwd: .: No such file or directory
shell /home/johan/test# cd ..
shell /home/johan# ls
.cshrc          .lesshst        .mailrc         .shrc           .vimrc  =20=

         file.big        roundcube.sql   www.tar.gz
.histfile       .login          .mysql_history  .ssh            .zcompdu=20=

mp      pics            stuff
.history        .login_conf     .profile        .vim            .zshrc  =20=

         postfix-2.4.5   test
.irssi          .mail_aliases   .rhosts         .viminfo        =20
cacert.pem      public_html     vmail.tar.gz
shell /home/johan#

Thats my home dir on core!.. That should very much not be visible =20
there! I have full access now (from the wrong jail!)

Known bug or did I just stumble upon something pretty bad??

--
Johan Str=F6m
Stromnet
johan@stromnet.se
http://www.stromnet.se/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?91064C44-1A41-4FCB-A718-1EF3A63E2273>