On 12/28/2011 02:58 AM, Marin Atanasov Nikolov wrote:
Hello,
Today I've managed to escape from a jail by accident and ended up with
root access to the host's filesystem.
Here's what I did:
* Using ezjail for managing my jails
* Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
* This works only when I use sudo, and cannot reproduce if I execute
everything as root
First, created a folder *inside* the jail and cd to it:
host$ sudo ezjail-admin console jail-test
jail-test# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
jail-test# mkdir ~/jail-folder
jail-test# cd ~/jail-folder
jail-test# pwd
/root/jail-folder
Then from the host machine I've moved this folder to the cwd.
host$ pwd
/usr/home/mra
host$ sudo mv /home/jails/jail-test/root/jail-folder .
And then here's where the jail ends up :)
jail-test# pwd
/usr/home/mra/jail-folder
From here on the Jail's root user has full root privileges to the
host's filesystem.
Not sure if it is sudo or jail issue, and would be nice if someone
with more experience can check this up :)
Regards,
Marin
This is rather fascinating.
I agree with the poster that the jail didn't really escape, but was
"sprung from the outside."
But more than that, I imagine it would be very hard to stop this without
either completely rethinking how unix filesystems work, or adding
significant overhead to the OS so that it checks every single "mv"
command against all existing jails.
I think the warning in the man page
http://svnweb.freebsd.org/base/head/usr.sbin/jail/jail.8?r1=221665&r2=224286
is a better way to go.
Stephen
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
