Date: Wed, 28 Dec 2011 10:58:43 +0200 From: Marin Atanasov Nikolov <dnaeon@gmail.com> To: freebsd-security@freebsd.org, ml-freebsd-stable <freebsd-stable@freebsd.org> Subject: Escaping from a jail with root privileges on the host Message-ID: <CAJ-UWtQnYWb8TUzk91Z%2BCxgfVsDM=WtBDrpP_V9pBnv7ar47Fw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, Today I've managed to escape from a jail by accident and ended up with root access to the host's filesystem. Here's what I did: * Using ezjail for managing my jails * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 * This works only when I use sudo, and cannot reproduce if I execute everything as root First, created a folder *inside* the jail and cd to it: host$ sudo ezjail-admin console jail-test jail-test# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) jail-test# mkdir ~/jail-folder jail-test# cd ~/jail-folder jail-test# pwd /root/jail-folder Then from the host machine I've moved this folder to the cwd. host$ pwd /usr/home/mra host$ sudo mv /home/jails/jail-test/root/jail-folder . And then here's where the jail ends up :) jail-test# pwd /usr/home/mra/jail-folder >From here on the Jail's root user has full root privileges to the host's filesystem. Not sure if it is sudo or jail issue, and would be nice if someone with more experience can check this up :) Regards, Marin -- Marin Atanasov Nikolov dnaeon AT gmail DOT com daemon AT unix-heaven DOT org http://www.unix-heaven.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-UWtQnYWb8TUzk91Z%2BCxgfVsDM=WtBDrpP_V9pBnv7ar47Fw>