Hello list!
I'm running a FreeBSD 6.2-p8 box with a few jails. The other day a
user of mine uploaded a number of files to one jail, then I (in the
actual system outside of all jails) moved that directory to another
jail.. When I later did some chdiring in the original jail, I found
my self standing in my other jails pwd and beeing able to read/
manipulate files!..
Example:
jb-1 (the base machine, jailbox-1)
shell (jail 1)
core (jail 2)
shell /home/johan# pwd
/home/johan
shell /home/johan# ls
.cshrc .irssi .login_conf .mailrc .profile
.shrc .zcompdump public_html
.histfile .login .mail_aliases .noident .rhosts
.ssh .zshrc
shell /home/johan# mkdir test
shell /home/johan# cd test
shell /home/johan/test# touch asd
shell /home/johan/test# ls -al
total 4
drwxr-xr-x 2 root root 512 Dec 28 13:09 .
drwxr-x--x 6 johan johan 512 Dec 28 13:09 ..
-rw-r--r-- 1 root root 0 Dec 28 13:09 asd
shell /home/johan/test#
Then moving it on the root box
jb-1 /usr/jails# mv shell/home/johan/test core/home/johan/
jb-1 /usr/jails#
And back on shell jail:
shell /home/johan/test# ls
asd
shell /home/johan/test# pwd
pwd: .: No such file or directory
shell /home/johan/test# cd ..
shell /home/johan# ls
.cshrc .lesshst .mailrc .shrc .vimrc
file.big roundcube.sql www.tar.gz
.histfile .login .mysql_history .ssh .zcompdu
mp pics stuff
.history .login_conf .profile .vim .zshrc
postfix-2.4.5 test
.irssi .mail_aliases .rhosts .viminfo
cacert.pem public_html vmail.tar.gz
shell /home/johan#
Thats my home dir on core!.. That should very much not be visible
there! I have full access now (from the wrong jail!)
Known bug or did I just stumble upon something pretty bad??
--
Johan Str?m
Stromnet
johan@stromnet.se
http://www.stromnet.se/
On Dec 28, 2007, at 13:41 , Edwin Groothuis wrote:> On Fri, Dec 28, 2007 at 01:15:38PM +0100, Johan Str?m wrote: >> Thats my home dir on core!.. That should very much not be visible >> there! I have full access now (from the wrong jail!) >> >> Known bug or did I just stumble upon something pretty bad?? > > You didn't really break out of it, the person who managed the machine > did something he shouldn't have done: Moving the directories while > the jail(s) were running. It should be mentioned in the BUGS section > of the jail(8) command. >Yes, thats true.. Without "super-root" doing that the "breakout" would never happen. But still a bug, so yes I guess it should be mentioned in BUGS (and handbook too? not sure where this kind of "special features" are noted) unless its fixed. -- Johan
On Fri, Dec 28, 2007 at 01:15:38PM +0100, Johan Str?m wrote:> Thats my home dir on core!.. That should very much not be visible > there! I have full access now (from the wrong jail!) > > Known bug or did I just stumble upon something pretty bad??You didn't really break out of it, the person who managed the machine did something he shouldn't have done: Moving the directories while the jail(s) were running. It should be mentioned in the BUGS section of the jail(8) command. Edwin -- Edwin Groothuis | Personal website: http://www.mavetju.org edwin@mavetju.org | Weblog: http://www.mavetju.org/weblog/
Dr. Aharon Friedman
2007-Dec-29 17:58 UTC
I just broke out of a FreeBSD jail.. Known bug??
It does not look like you broke it. Moving directories between jails while
they are running is not part of the game as it breaks chroot. You could
manipulate files between jails with the jails up by using networking, such
as ftp.
Obviously, one could program chroot to be able to "eat" this stuff,
but it
will make the system cumbersome. Remember, Jails are supposed to protect
against an outside attacker, not against the sys admin.
Aharon
-----Original Message-----
From: Johan Str?m [mailto:johan@stromnet.se]
Sent: Friday, December 28, 2007 7:16 AM
To: freebsd-stable@freebsd.org
Subject: I just broke out of a FreeBSD jail.. Known bug??
Hello list!
I'm running a FreeBSD 6.2-p8 box with a few jails. The other day a
user of mine uploaded a number of files to one jail, then I (in the
actual system outside of all jails) moved that directory to another
jail.. When I later did some chdiring in the original jail, I found
my self standing in my other jails pwd and beeing able to read/
manipulate files!..
Example:
jb-1 (the base machine, jailbox-1)
shell (jail 1)
core (jail 2)
shell /home/johan# pwd
/home/johan
shell /home/johan# ls
.cshrc .irssi .login_conf .mailrc .profile
.shrc .zcompdump public_html
.histfile .login .mail_aliases .noident .rhosts
.ssh .zshrc
shell /home/johan# mkdir test
shell /home/johan# cd test
shell /home/johan/test# touch asd
shell /home/johan/test# ls -al
total 4
drwxr-xr-x 2 root root 512 Dec 28 13:09 .
drwxr-x--x 6 johan johan 512 Dec 28 13:09 ..
-rw-r--r-- 1 root root 0 Dec 28 13:09 asd
shell /home/johan/test#
Then moving it on the root box
jb-1 /usr/jails# mv shell/home/johan/test core/home/johan/
jb-1 /usr/jails#
And back on shell jail:
shell /home/johan/test# ls
asd
shell /home/johan/test# pwd
pwd: .: No such file or directory
shell /home/johan/test# cd ..
shell /home/johan# ls
.cshrc .lesshst .mailrc .shrc .vimrc
file.big roundcube.sql www.tar.gz
.histfile .login .mysql_history .ssh .zcompdu
mp pics stuff
.history .login_conf .profile .vim .zshrc
postfix-2.4.5 test
.irssi .mail_aliases .rhosts .viminfo
cacert.pem public_html vmail.tar.gz
shell /home/johan#
Thats my home dir on core!.. That should very much not be visible
there! I have full access now (from the wrong jail!)
Known bug or did I just stumble upon something pretty bad??
--
Johan Str?m
Stromnet
johan@stromnet.se
http://www.stromnet.se/
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.17.11/1201 - Release Date: 12/28/2007
11:51 AM