Marin Atanasov Nikolov
2011-Dec-28 09:24 UTC
Escaping from a jail with root privileges on the host
Hello, Today I've managed to escape from a jail by accident and ended up with root access to the host's filesystem. Here's what I did: * Using ezjail for managing my jails * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 * This works only when I use sudo, and cannot reproduce if I execute everything as root First, created a folder *inside* the jail and cd to it: host$ sudo ezjail-admin console jail-test jail-test# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) jail-test# mkdir ~/jail-folder jail-test# cd ~/jail-folder jail-test# pwd /root/jail-folder Then from the host machine I've moved this folder to the cwd. host$ pwd /usr/home/mra host$ sudo mv /home/jails/jail-test/root/jail-folder . And then here's where the jail ends up :) jail-test# pwd /usr/home/mra/jail-folder>From here on the Jail's root user has full root privileges to thehost's filesystem. Not sure if it is sudo or jail issue, and would be nice if someone with more experience can check this up :) Regards, Marin -- Marin Atanasov Nikolov dnaeon AT gmail DOT com daemon AT unix-heaven DOT org http://www.unix-heaven.org/
Bjoern A. Zeeb
2011-Dec-28 09:42 UTC
Escaping from a jail with root privileges on the host
On 28. Dec 2011, at 08:58 , Marin Atanasov Nikolov wrote:> Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem.This has been discussed to lengths within the last year (I think it was). See the updated man page: http://svnweb.freebsd.org/base/head/usr.sbin/jail/jail.8?r1=221665&r2=224286 /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.
Poul-Henning Kamp
2011-Dec-28 09:47 UTC
Escaping from a jail with root privileges on the host
In message <CAJ-UWtQnYWb8TUzk91Z+CxgfVsDM=WtBDrpP_V9pBnv7ar47Fw@mail.gmail.com> , Marin Atanasov Nikolov writes:>Then from the host machine I've moved this folder to the cwd. >[...] >Not sure if it is sudo or jail issue, and would be nice if someone >with more experience can check this up :)That's an "error-42" issue. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Julian Elischer
2011-Dec-28 18:58 UTC
Escaping from a jail with root privileges on the host
On 12/28/11 12:58 AM, Marin Atanasov Nikolov wrote:> Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. > > Here's what I did: > > * Using ezjail for managing my jails > * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 > * This works only when I use sudo, and cannot reproduce if I execute > everything as root > > First, created a folder *inside* the jail and cd to it: > > host$ sudo ezjail-admin console jail-test > > jail-test# id > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) > > jail-test# mkdir ~/jail-folder > jail-test# cd ~/jail-folder > > jail-test# pwd > /root/jail-folder > > Then from the host machine I've moved this folder to the cwd. > > host$ pwd > /usr/home/mra > > host$ sudo mv /home/jails/jail-test/root/jail-folder . > > And then here's where the jail ends up :) > > jail-test# pwd > /usr/home/mra/jail-folder > > > From here on the Jail's root user has full root privileges to the > host's filesystem. > > Not sure if it is sudo or jail issue, and would be nice if someone > with more experience can check this up :)This is not really "escaping". It's more like "being sprung by your friends outside" since it requires outside participation. The jailed process cannot do it by itself. Now what would be more interesting is if the jailed process can make a new jail inside the old jail and then 'spring' the inmate there. will that inmate be still inside the parent jail, or outside both jails?> Regards, > Marin >
Benjamin Kaduk
2011-Dec-28 20:54 UTC
Escaping from a jail with root privileges on the host
[minus -stable] On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote:> Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. > > Here's what I did: > > * Using ezjail for managing my jails > * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 > * This works only when I use sudo, and cannot reproduce if I execute > everything as rootI cannot see how the use of sudo would be relevant -- the fundametal issue merely requires the vnode of the directory in question to be moved (not copied) past the jail's root vnode. Could you give a bit more detail about how you came to believe that sudo is necessary? -Ben Kaduk
Stephen Montgomery-Smith
2011-Dec-28 21:09 UTC
Escaping from a jail with root privileges on the host
On 12/28/2011 02:58 AM, Marin Atanasov Nikolov wrote:> Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. > > Here's what I did: > > * Using ezjail for managing my jails > * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 > * This works only when I use sudo, and cannot reproduce if I execute > everything as root > > First, created a folder *inside* the jail and cd to it: > > host$ sudo ezjail-admin console jail-test > > jail-test# id > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) > > jail-test# mkdir ~/jail-folder > jail-test# cd ~/jail-folder > > jail-test# pwd > /root/jail-folder > > Then from the host machine I've moved this folder to the cwd. > > host$ pwd > /usr/home/mra > > host$ sudo mv /home/jails/jail-test/root/jail-folder . > > And then here's where the jail ends up :) > > jail-test# pwd > /usr/home/mra/jail-folder > >> From here on the Jail's root user has full root privileges to the > host's filesystem. > > Not sure if it is sudo or jail issue, and would be nice if someone > with more experience can check this up :) > > Regards, > Marin >This is rather fascinating. I agree with the poster that the jail didn't really escape, but was "sprung from the outside." But more than that, I imagine it would be very hard to stop this without either completely rethinking how unix filesystems work, or adding significant overhead to the OS so that it checks every single "mv" command against all existing jails. I think the warning in the man page http://svnweb.freebsd.org/base/head/usr.sbin/jail/jail.8?r1=221665&r2=224286 is a better way to go. Stephen