From owner-freebsd-bugs@FreeBSD.ORG Tue Jan 5 09:40:02 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C77331065670 for ; Tue, 5 Jan 2010 09:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 896E28FC16 for ; Tue, 5 Jan 2010 09:40:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o059e2hT093455 for ; Tue, 5 Jan 2010 09:40:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o059e2uO093454; Tue, 5 Jan 2010 09:40:02 GMT (envelope-from gnats) Resent-Date: Tue, 5 Jan 2010 09:40:02 GMT Resent-Message-Id: <201001050940.o059e2uO093454@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Vedad KAJTAZ Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09299106566C for ; Tue, 5 Jan 2010 09:32:26 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id ED2398FC0A for ; Tue, 5 Jan 2010 09:32:25 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o059WPUr004403 for ; Tue, 5 Jan 2010 09:32:25 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id o059WP0F004402; Tue, 5 Jan 2010 09:32:25 GMT (envelope-from nobody) Message-Id: <201001050932.o059WP0F004402@www.freebsd.org> Date: Tue, 5 Jan 2010 09:32:25 GMT From: Vedad KAJTAZ To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/142341: Jail escape when cwd is moved from the host system X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2010 09:40:02 -0000 >Number: 142341 >Category: misc >Synopsis: Jail escape when cwd is moved from the host system >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 05 09:40:02 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Vedad KAJTAZ >Release: 7.2-RELEASE-p4 >Organization: Vedad KAJTAZ >Environment: FreeBSD kenny.osilex.net 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >Description: Given the following setup: - A host system - A jail system located in /usr/local/jails/J1 on the host system - A shell open in the jail system, with cwd set to /some/path (therefore, /usr/local/jails/J1/some/path on the host system). When the root moves the /usr/local/jails/J1/some/path folder somewhere else (say in /usr/local/jails/J2/some/path), the jail shell (as any other jail process) in no longer rooted and has access to the whole filesystem on the host. Though this is not a common situation, it may happen (and did happen to me). Best regards, >How-To-Repeat: Always repeatable >Fix: None known >Release-Note: >Audit-Trail: >Unformatted: