Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 Dec 2011 00:42:09 +0200
From:      Marin Atanasov Nikolov <dnaeon@gmail.com>
To:        Benjamin Kaduk <kaduk@mit.edu>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Escaping from a jail with root privileges on the host
Message-ID:  <CAJ-UWtSBayO5zA5tYeZ3_PU8uVRZo%2Bx6q184cecdh14gF=2XSQ@mail.gmail.com>
In-Reply-To: <alpine.GSO.1.10.1112281537460.882@multics.mit.edu>
References:  <CAJ-UWtQnYWb8TUzk91Z%2BCxgfVsDM=WtBDrpP_V9pBnv7ar47Fw@mail.gmail.com> <alpine.GSO.1.10.1112281537460.882@multics.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Dec 28, 2011 at 10:39 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> [minus -stable]
>
>
> On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote:
>
>> Hello,
>>
>> Today I've managed to escape from a jail by accident and ended up with
>> root access to the host's filesystem.
>>
>> Here's what I did:
>>
>> * Using ezjail for managing my jails
>> * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
>> * This works only when I use sudo, and cannot reproduce if I execute
>> everything as root
>
>
> I cannot see how the use of sudo would be relevant -- the fundametal issu=
e
> merely requires the vnode of the directory in question to be moved (not
> copied) past the jail's root vnode. =A0Could you give a bit more detail a=
bout
> how you came to believe that sudo is necessary?
>

Hi everyone,

Thanks for the feedback.

@Ben:

I was able only to reproduce this using sudo(8) when doing "mv
<jail-folder> ." (See first mail for exact steps)

Important notes:

 * The directory to mv is "." (cwd) - mv'ing to anything else than "."
does not harm
 * Doing the "mv <jail-folder> ." as root user (without sudo(8) !)
does not result in jail getting access to the host's fs

That is why I've mentioned that I'm not sure whether this is sudo(8)
related or ezjail, or just jail.. I can only reproduce it using sudo
for moving the folder...

Hope that clears a bit things :)

Regards,
Marin

> -Ben Kaduk



--=20
Marin Atanasov Nikolov

dnaeon AT gmail DOT com
daemon AT unix-heaven DOT org
http://www.unix-heaven.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-UWtSBayO5zA5tYeZ3_PU8uVRZo%2Bx6q184cecdh14gF=2XSQ>