Date: Sun, 30 Dec 2007 20:26:01 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: =?ISO-8859-1?Q?Johan_Str=F6m?= <johan@stromnet.se> Cc: Edwin Groothuis <edwin@mavetju.org>, freebsd-stable@freebsd.org Subject: Re: I just broke out of a FreeBSD jail.. Known bug?? Message-ID: <20071230202340.S1545@fledge.watson.org> In-Reply-To: <6EC90A5A-ECCC-4983-95CE-D82AEE89C289@stromnet.se> References: <91064C44-1A41-4FCB-A718-1EF3A63E2273@stromnet.se> <20071228124151.GA37323@k7.mavetju> <6EC90A5A-ECCC-4983-95CE-D82AEE89C289@stromnet.se>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --621616949-281354838-1199046361=:1545 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Fri, 28 Dec 2007, Johan Str=F6m wrote: > On Dec 28, 2007, at 13:41 , Edwin Groothuis wrote: > >> On Fri, Dec 28, 2007 at 01:15:38PM +0100, Johan Str?m wrote: >>> Thats my home dir on core!.. That should very much not be visible there= ! I=20 >>> have full access now (from the wrong jail!) >>>=20 >>> Known bug or did I just stumble upon something pretty bad?? >>=20 >> You didn't really break out of it, the person who managed the machine di= d=20 >> something he shouldn't have done: Moving the directories while the jail(= s)=20 >> were running. It should be mentioned in the BUGS section of the jail(8)= =20 >> command. > > Yes, thats true.. Without "super-root" doing that the "breakout" would ne= ver=20 > happen. But still a bug, so yes I guess it should be mentioned in BUGS (a= nd=20 > handbook too? not sure where this kind of "special features" are noted)= =20 > unless its fixed. While the results are potentially confusing, this is actually an intentiona= l=20 design choice. Jails are not intended to provide complete isolation, rather= ,=20 unintrusive and low-overhead containment. As long as untrusted processes a= re=20 working with the file system namespace exposed to the jail, the privileged= =20 root user should be very cautious about trusting those bits of namespace, j= ust=20 as they should be cautious with bits of file system namespace writable by= =20 regular users. In order to prevent these kinds of issues, we'd need to use= =20 more intensive isolation of the file system components visible in the jail,= =20 such as allowing access to a particular object only "within" or "outside" o= f=20 the jail, rather than both. If the man page doesn't have a cautionary note= on=20 users outside the jail trusting data in the jail, it should do so. Robert N M Watson Computer Laboratory University of Cambridge --621616949-281354838-1199046361=:1545--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071230202340.S1545>