Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Dec 2014 08:15:54 +0800
From:      Ernie Luzar <luzar722@gmail.com>
To:        "no@spam@mgedv.net" <nospam@mgedv.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped completely
Message-ID:  <5488E23A.9020002@gmail.com>
In-Reply-To: <000001d01495$8b36ee60$a1a4cb20$@mgedv.net>
References:  <042a01d011bd$e4cb1530$ae613f90$@mgedv.net> <000001d01495$8b36ee60$a1a4cb20$@mgedv.net>

next in thread | previous in thread | raw e-mail | index | archive | help
   [1]no@spam@mgedv.net wrote:

really, no one running jails on 10.1 with chmod o-rwx of the jail-home? ;-)

cheers


-----Original Message-----
From: [2]owner-freebsd-questions@freebsd.org [[3]mailto:owner-freebsd-
[4]questions@freebsd.org] On Behalf Of [5]no@spam@mgEDV.net
Sent: Sunday, December 07, 2014 2:34 AM
To: [6]freebsd-questions@freebsd.org
Subject: freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped
completely

hi guys,

as the "real" application faces the same problems, i created a test
jail on a clean box just to check the behaviour using "/usr/bin/id".

problem description (hopefully i nailed it):
if a jailed process needs any .so for startup, the path to those *.so
needs to be world r-x, although the GID of the jail execute user
is allowed to r/x the dirs, where the *.so files are to be found.
there could be (ordering) errors with SET(e)GID in jail_* functions,
because it works as expected when prefixing with "chroot -g test /".
the EGID is dropped to the jail user's gid, but the GID is still 0!
we end up with a jailed proc (UID=999, GID=0), which of course is
not allowed to access the dirs for the *.so's to be loaded by exec.
[see end of message for setup details]

=== the symptom ===
/jail# /jail/a.sh
Shared object "libbsm.so.3" not found, required by "id"
jail: /bin/id: failed

=== details from truss ===
  619: access("/lib/libbsm.so.3",0)              ERR#13 'Permission

denied'

  619: access("/usr/lib/libbsm.so.3",0)          ERR#13 'Permission

denied'

=== some UID/GID details from kdump ===
/jail# grep -i '[g|s]et.*id' jail.kdump
64746 100091 jail     CALL  issetugid
64746 100091 jail     RET   issetugid 0
64746 100091 jail     CALL  issetugid
64746 100091 jail     RET   issetugid 0
64747 100093 jail     CALL  geteuid
64747 100093 jail     RET   geteuid 0
64747 100093 jail     CALL  setuid(0x3e7)
64747 100093 jail     RET   setuid 0
64747 100093 jail     CALL  getuid
64747 100093 jail     RET   getuid 999/0x3e7
64747 100093 jail     CALL  geteuid
64747 100093 jail     RET   geteuid 999/0x3e7
64747 100093 jail     CALL  getegid
64747 100093 jail     RET   getegid 999/0x3e7
64747 100093 jail     CALL  setegid(0x3e7)
64747 100093 jail     RET   setegid -1 errno 1 Operation not permitted
64747 100093 jail     CALL  seteuid(0x3e7)
64747 100093 jail     RET   seteuid 0
64747 100093 jail     CALL  seteuid(0x3e7)
64747 100093 jail     RET   seteuid 0
64747 100093 jail     CALL  setegid(0x3e7)
64747 100093 jail     RET   setegid -1 errno 1 Operation not permitted
64747 100093 id       CALL  issetugid
64747 100093 id       RET   issetugid 1

=== proof 1: chroot fixes the jail .so load problem ===
# outside the jail - just to know what's changing:
/jail# chroot -g test / id
uid=0(root) gid=0(wheel) egid=999(test) groups=999(test),5(operator)
# inside the jail - this is our "fix":
/jail# chroot -g test / /jail/a.sh
uid=999 gid=999(test) groups=999(test)

=== proof 2: chmod fixes *.so load, but GID=0 here! ===
if i chmod the jail homedir and jail's lib dir, it works:
/jail# chmod a+rx /jail /jail/lib
/jail# ./a.sh
uid=999 gid=0(wheel) egid=999(test) groups=999(test)

user and group names are read fine from the jailed "id",
although the file perms are as listed beyond.

is this a bug or am i missing something?
any help/info/enlightenment appreciated ;-)
[just reply to the list, i'm on it]


==== CONFIG (tested 3 different times with GENERIC and a CUSTOM kernel):
LiveCD install source: FreeBSD-10.1-RELEASE-amd64-disc1.iso
sha256:
0c3d64ce48c3ef761761d0fea07e1935e296f8c045c249118bc91a7faf053a6b
fresh install on 2 different ESXi 5.5 hosts and a 3rd physical PC.
only base.tgz+kernel.tgz or liveCD, tried on UFS2 (gpt) and tmpfs.
i used the www user and tmpfs on the liveCD, but everything else was the
same.

=== the test user ===
/jail# id -P test
test:*:999:999::0:0:User &:/home/test:/bin/sh

=== the jail (before the mentioned chmod) ===
/jail# ls -Ralo
total 68
dr-xr-xr-x   6 root  test   -   512 Dec  7 01:02 .
drwxr-xr-x  19 root  wheel  -   512 Dec  7 00:06 ..
-rwx------   1 root  test   -   773 Dec  7 01:00 a.sh
dr-xr-x---   2 root  test   -   512 Dec  6 23:58 bin
drwxr-x---   2 root  test   -   512 Dec  7 01:01 etc
-rw-r-----   1 root  test   - 37157 Dec  7 01:02 jail.truss
dr-xr-xr-x   2 root  test   -   512 Dec  6 23:59 lib
dr-xr-x---   2 root  test   -   512 Dec  7 00:00 libexec

./bin:
total 24
dr-xr-x---  2 root  test  -   512 Dec  6 23:58 .
dr-xr-xr-x  6 root  test  -   512 Dec  7 01:02 ..
-r-xr-x---  1 root  test  - 12432 Nov 11 22:03 id

./etc:
total 60
drwxr-x---  2 root  test  -   512 Dec  7 01:01 .
dr-xr-xr-x  6 root  test  -   512 Dec  7 01:02 ..
-rw-r-----  1 root  test  -   473 Dec  7 00:04 group
-rw-r-----  1 root  test  -   321 Dec  7 01:01 nsswitch.conf
-rw-r-----  1 root  test  -  1570 Dec  7 00:27 passwd
-rw-------  1 root  test  - 40960 Dec  7 00:27 spwd.db

./lib:
total 1744
dr-xr-xr-x  2 root  test  -     512 Dec  6 23:59 .
dr-xr-xr-x  6 root  test  -     512 Dec  7 01:02 ..
-r--r-----  1 root  test  -  106264 Nov 11 22:03 libbsm.so.3
-r--r-----  1 root  test  - 1631216 Nov 11 22:03 libc.so.7

./libexec:
total 124
dr-xr-x---  2 root  test  -    512 Dec  7 00:00 .
dr-xr-xr-x  6 root  test  -    512 Dec  7 01:02 ..
-r-xr-x---  1 root  test  - 118520 Nov 11 22:03 ld-elf.so.1


=== the start command ====
/jail# cat a.sh

umask 027;
rm -f /jail/jail.truss /jail/jail.kdump /jail/jail.ktrace

#/usr/bin/truss -f -e -a -o /jail/jail.truss -s 1000    \
ktrace -d -f /jail/jail.ktrace -i -t cinpstuy   \
jail -c jid=1                   \
name=test                \
path=/jail               \
ip4.addr=1.1.1.1                \
host.hostuuid=c91e438a-1a44-4b7e-8732-0441ca9e2b97      \
host.hostid=6146666201             \
allow.sysvipc=0                 \
allow.raw_sockets=0                \
exec.jail_user=test                \
exec.system_user=test              \
exec.system_jail_user=true              \
host.hostname=test                 \
host.domainname=test.me                \
allow.set_hostname=0               \
allow.chflags=0                 \
allow.mount=0                   \
allow.quotas=0                  \
allow.socket_af=0                  \
enforce_statfs=2                \
ip4=new                 \
ip6=disable              \
command=/bin/id                 \

kdump -H -f /jail/jail.ktrace >/jail/jail.kdump

===  EOM ===

   First off I can not give you an answer of the type your looking for.
   But I run 47 jails {a jail per class room student] all built using
   qjail on a 10.0 system without any problems.
   So my guess is your problem may be related to the way you built your
   jail directory filesystem.
   Secondly you have way too many jail.conf statements that are not needed
   to define a jail.
   All the statements that end in =0 do not need the =0, just the
   statement name will work.
   allow.sysvipc, and allow.raw_sockets options break the security of the
   jail and should
   never be used on a production jail accepting traffic from the public
   internet.
   When you start a jail you should us the jails name not the JID that you
   hope is correct.
   You may be interested in the jail-primer port. It provides jail
   documentation that should be in the handbook.
   [7]http://jail-primer.sourceforge.net/
   Try building your jail using qjail or the jail-primer scripts to see if
   your problem goes away.
   Good luck

References

   1. mailto:no@spam@mgedv.net
   2. mailto:owner-freebsd-questions@freebsd.org
   3. mailto:owner-freebsd
   4. mailto:questions@freebsd.org
   5. mailto:no@spam@mgEDV.net
   6. mailto:freebsd-questions@freebsd.org
   7. http://jail-primer.sourceforge.net/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5488E23A.9020002>