From owner-freebsd-stable@FreeBSD.ORG Sun Dec 30 20:26:04 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FC2616A418 for ; Sun, 30 Dec 2007 20:26:04 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id CE2FB13C457 for ; Sun, 30 Dec 2007 20:26:03 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id F3C2C47EC4; Sun, 30 Dec 2007 15:26:01 -0500 (EST) Date: Sun, 30 Dec 2007 20:26:01 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: =?ISO-8859-1?Q?Johan_Str=F6m?= In-Reply-To: <6EC90A5A-ECCC-4983-95CE-D82AEE89C289@stromnet.se> Message-ID: <20071230202340.S1545@fledge.watson.org> References: <91064C44-1A41-4FCB-A718-1EF3A63E2273@stromnet.se> <20071228124151.GA37323@k7.mavetju> <6EC90A5A-ECCC-4983-95CE-D82AEE89C289@stromnet.se> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="621616949-281354838-1199046361=:1545" Cc: Edwin Groothuis , freebsd-stable@freebsd.org Subject: Re: I just broke out of a FreeBSD jail.. Known bug?? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 20:26:04 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --621616949-281354838-1199046361=:1545 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Fri, 28 Dec 2007, Johan Str=F6m wrote: > On Dec 28, 2007, at 13:41 , Edwin Groothuis wrote: > >> On Fri, Dec 28, 2007 at 01:15:38PM +0100, Johan Str?m wrote: >>> Thats my home dir on core!.. That should very much not be visible there= ! I=20 >>> have full access now (from the wrong jail!) >>>=20 >>> Known bug or did I just stumble upon something pretty bad?? >>=20 >> You didn't really break out of it, the person who managed the machine di= d=20 >> something he shouldn't have done: Moving the directories while the jail(= s)=20 >> were running. It should be mentioned in the BUGS section of the jail(8)= =20 >> command. > > Yes, thats true.. Without "super-root" doing that the "breakout" would ne= ver=20 > happen. But still a bug, so yes I guess it should be mentioned in BUGS (a= nd=20 > handbook too? not sure where this kind of "special features" are noted)= =20 > unless its fixed. While the results are potentially confusing, this is actually an intentiona= l=20 design choice. Jails are not intended to provide complete isolation, rather= ,=20 unintrusive and low-overhead containment. As long as untrusted processes a= re=20 working with the file system namespace exposed to the jail, the privileged= =20 root user should be very cautious about trusting those bits of namespace, j= ust=20 as they should be cautious with bits of file system namespace writable by= =20 regular users. In order to prevent these kinds of issues, we'd need to use= =20 more intensive isolation of the file system components visible in the jail,= =20 such as allowing access to a particular object only "within" or "outside" o= f=20 the jail, rather than both. If the man page doesn't have a cautionary note= on=20 users outside the jail trusting data in the jail, it should do so. Robert N M Watson Computer Laboratory University of Cambridge --621616949-281354838-1199046361=:1545--