freebsd security - May 2011 - Rooting FreeBSD , Privilege Escalation using Jails (Pétur)

Daniel Jacobsson skrev 2011-05-06 17:05:
> I read this (http://www.petur.eu/blog/?p=459) blog post today. It's 
> about that a remote user with root privilegs to a FreeBSD jail & user 
> privileges to the jails host machine can obtain root privileges on the 
> host machine.
> Can someone confirm if this bugg/exploit works?
Ah, think i found an old post 
(http://freebsd.1045724.n5.nabble.com/Thoughts-on-jail-privilege-FAQ-submission-td4219099.html)
about this subject, so it seems to be old news.

I read this (http://www.petur.eu/blog/?p=459) blog post today. It's 
about that a remote user with root privilegs to a FreeBSD jail & user 
privileges to the jails host machine can obtain root privileges on the 
host machine.
Can someone confirm if this bugg/exploit works?

On 6 May 2011 16:27, "Daniel Jacobsson"
<daniel.jacobsson.90@gmail.com>
wrote:
>
> Daniel Jacobsson skrev 2011-05-06 17:05:
>>
>> I read this (http://www.petur.eu/blog/?p=459) blog post today. It's
about
that a remote user with root privilegs to a FreeBSD jail & user privileges
to the jails host machine can obtain root privileges on the host
machine.
>> Can someone confirm if this bugg/exploit works?
>
> Ah, think i found an old post (
http://freebsd.1045724.n5.nabble.com/Thoughts-on-jail-privilege-FAQ-submission-td4219099.html)
about this subject, so it seems to be old news.

Oops, looks like I broke my promise to make a doc entry...

Thanks for reminding me!

Chris

Jamie,

On Tue, May 10, 2011 at 01:18:44PM +0100, Jamie Landeg Jones
wrote:
> 
> > Do you know if there is a way that chmod on / from within the jail
could
> > be prevented easily without breaking something ? Maybe not failing but
> > falling though and return 0 for any operation with the sole argument
of /.
> 
> Enforcing 700 on the jail root?
> 
> Whilst I was wrong on chmod 700 on (say) /usr/jails it is still the case
> that the root directory of the jail itself (/usr/jail/jailname) has to
> be 755 for non-root processeses within the jail to access the filesystem!
> 
Sorry for the late reply on this.

What I was thinking of is enforcing from within the jail that all system 
calls to chmod(2), chflags(2), chown(2) and anything that can change the 
directories access modes should be passed silently when the argument to 
the command is operating on the root directory.


-- 

 Regards, (jhell)
 Jason Hellenthal

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 522 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110510/42d51805/attachment.pgp

On 11 May 2011 06:28, "Janne Snabb" <snabb@epipe.com>
wrote:
>
> On Tue, 10 May 2011, Bakul Shah wrote:
>
> > Dumb question: the jail command can refuse to run unless the
> > parent of a jail root is 0700. Would that work? No kernel hack
> > required.
>
> I do not think that this should be enforced in kernel, in the jail(8)
> command nor anywhere else. UNIX rm(1) is not opening a pop-up window
> asking "are you sure?" if you do "rm -rf /".
I suggest you test this assertion....

Chris

On Wed, 11 May 2011, Chris Rees wrote:
> On 11 May 2011 06:28, "Janne Snabb" <snabb@epipe.com>
wrote:
> > UNIX rm(1) is not opening a pop-up window
> > asking "are you sure?" if you do "rm -rf /".
> 
> I suggest you test this assertion....
I am surprised. I guess I have not done that for a while:

rm: "/" may not be removed

Off-topic. Bad example. Replace with something more appropriate
(such as the need to update jail directory tree contents without
being root in the host system). Sorry.

--
Janne Snabb / EPIPE Communications
snabb@epipe.com - http://epipe.com/

> +1
I did mention the bikeshed earlier ! :D