Date: Tue, 2 Feb 2010 22:06:11 GMT From: "Aaron D. Gifford" <astounding@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/143503: Security bug: jailed shell has access outside of jailed directory Message-ID: <201002022206.o12M6B2g072238@www.freebsd.org> Resent-Message-ID: <201002022210.o12MA1rJ062289@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 143503 >Category: kern >Synopsis: Security bug: jailed shell has access outside of jailed directory >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Feb 02 22:10:00 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Aaron D. Gifford >Release: 8.0-STABLE as of 27 Jan. 2010 >Organization: >Environment: FreeBSD mainhost.example.com 8.0-STABLE FreeBSD 8.0-STABLE #0: Wed Jan 27 19:46:39 MST 2010 root@mainhost.example.com:/usr/obj/usr/src/sys/GENERIC amd64 >Description: /data is a ZFS filesystem... (I don't know if that's relevant or not as I haven't tried this on an 8.0 system NOT running ZFS.) /data/testjail is a jail in which several directories are nullfs mounted (see below output of "df"): /data/basejail 482242304 130051840 352190464 27% /data/testjail/basejail /usr/ports 352900096 709632 352190464 0% /data/testjail/usr/ports /usr/src 353247232 1056768 352190464 0% /data/testjail/usr/src /usr/obj 354452736 2262272 352190464 1% /data/testjail/usr/obj devfs 2 2 0 100% /data/testjail/dev THE PROBLEM: If my current working directory is /data/foo/bar (outside of the jail path I will be using) an I create a NEW jail running bash with the following command, watch what happens: root@mainhost:/data/foo/bar# jail /data/foo/bar jailhost.example.org 127.0.0.1 /usr/local/bin/bash root@jailhost:/data/foo/bar# pwd /data/foo/bar root@jailhost:/data/foo/bar# ls -l /data/foo/bar ls: /data/foo/bar: No such file or directory root@jailhost:/data/foo/bar# ls -l total 97 -rw-r--r-- 1 root wheel 5530 Jan 18 15:55 NOTES -rwxr-xr-x 1 root wheel 4770 Feb 2 14:19 myscript1 -rw-r--r-- 1 root wheel 1861 Jan 27 22:25 configuration -rwxr-xr-x 1 root wheel 7852 Feb 2 14:23 myscriptlib -rwxr-xr-x 1 root wheel 5981 Jan 31 16:04 myscript2 -rwxr-xr-x 1 root wheel 4163 Feb 2 13:35 myscript3 -rwxr-xr-x 1 root wheel 2639 Jan 8 15:58 myscript4 -rwxr-xr-x 1 root wheel 911 Feb 2 13:37 myscript5 -rw-r--r-- 1 root wheel 3328 Jan 31 08:18 docs.txt root@jailhost:/data/foo/bar# cd /data/foo/bar bash: cd: /data/foo/bar: No such file or directory root@jailhost:/data/foo/bar# cd /data/foo bash: cd: /data/foo: No such file or directory root@jailhost:/data/foo/bar# cd .. root@jailhost:/data/foo# ls -l total 7 drwxr-xr-x 2 root wheel 2 Feb 2 14:21 bar drwxr-xr-x 2 root wheel 2 Feb 2 14:21 foo -rw-r--r-- 1 root wheel 5058 Feb 2 14:22 testing.log root@jailhost:/data/foo# # echo "IS this file writable or..." > testfile.txt root@jailhost:/data/foo# ls -l testfile.txt -rw-r--r-- 1 root wheel 28 Feb 2 14:42 testfile.txt root@jailhost:/data/foo# cat testfile.txt IS this file writable or... root@jailhost:/data/foo# cat /data/foo/testfile.txt cat: /data/foo/testfile.txt: No such file or directory root@jailhost:/data/foo# cat ../../data/foo/testfile.txt IS this file writable or... root@jailhost:/data/foo# cd foo root@jailhost:/data/foo/foo# ls -l total 20 -r--r--r-- 1 root wheel 6196 Feb 2 14:49 COPYRIGHT -rw-r--r-- 1 root wheel 821 Feb 2 14:49 bar.txt drwxr-xr-x 13 root wheel 20 Jul 2 2009 data root@jailhost:/data/foo/foo# cd ../.. root@jailhost:/data# ls -l total 17 drwxr-xr-x 2 root wheel 9 Jan 31 18:25 conf drwxr-xr-x 5 root wheel 5 Sep 11 2007 home drwxrwxr-x 2 root 81 8 Mar 5 2007 logs drwxrwxr-x 2 root 81 3 Mar 5 2007 phpinc drwxrwxr-x 14 root 81 32 Jan 31 19:05 web root@jailhost:/data# PLEASE NOTE that there IS a /data directory within the jail: /data/foo/bar/data It is THAT /data directory that the final "ls -l" above showed. SUMMARY OF PROBLEM: The jail command allows the jailed process (running as root within the jail) access to the current working directory (outside the jail) and can read from and write to it as long as all paths are relative to the working directory. Entering an existing jail with 'jexec' does not exhibit this problem. Is there ANY possible configuration where this is okay? More info. about my system that might be relevant: security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.enforce_statfs: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.enforce_statfs: 2 security.jail.mount_allowed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 security.jail.jail_max_af_ips: 255 security.jail.jailed: 1 >How-To-Repeat: See above... >Fix: Unknown. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201002022206.o12M6B2g072238>