getgpid & getsid work from within a jail

From: Stephanie Wehner (_@r4k.net)
Date: 05/22/02 

Date: Wed, 22 May 2002 21:30:33 +0200
From: Stephanie Wehner <_@r4k.net>
To: freebsd-security@freebsd.org

Hi,

[this was mailed to security-officer@ already and I submitted a pr
with a patch, but this is not really a serious problem and I have
some questions, which you might answer]

Just accidently stumbled across two (minor) problem with the freebsd
jail when looking at kern_prot.c. I verified this by setting up a
small jail. The system I was using is 4.6-RC cvsupd yesterday evening.

It is possible to obtain the process group id and the session id
of processes running outside the current jail. This is due to the
fact that getsid and getgpid in sys/kern/kern_prot.c do not check
if the pid that is found is within the current jail.

I've submitted a test program and a patch via send-pr. Please note
that this fix returns ESRCH when the process is not found and not
EPERM. This is related to another problem:

It is possible to verify the existance of a certain process id outside
the current jail by various means. I personally see this as a minor
problem, although I'm not sure if you feel this is a problem. There
are some inconsistencies in the code, which either deny the existance
of the process (like ps) or return permission denied instead of not found:

root@testjail:~ # kill 67
bash: kill: (67) - Operation not permitted
root@testjail:~ # kill 68
bash: kill: (68) - No such process
root@testjail:~ # ktrace -p 67
ktrace: ktrace.out: Operation not permitted
root@testjail:~ # ktrace -p 68
ktrace: ktrace.out: No such process

...I did not provide a patch for this as I wasn't sure how you want to
handle this problem. Also I have been wondering why the prison check is
not done within pfind (see kern_proc.c) itself ? I suppose there must
be a reason for it ? btw, I've been asking myself this as well with the
ps_showallprocs flag.

bye,
Stephanie
--<> _@r4k.net <>------------------<> FreeBSD <>-------------------
#3 - Anime Law of Sonic Amplification, First Law of Anime Acoustics
In space, loud sounds, like explosions, are even louder because
there is no air to get in the way.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Tales of the Bold Rogue
    ... My patch also includes some significant gameplay changes. ... weapon. ... behind in case I am forced to retreat, so I kill them. ... It will just be an ordinary slay weapon. ...
    (rec.games.roguelike.angband)
  • Re: Prosecutor jailed on child sex charges commits suicide
    ... of pedos get arrested - few kill themselves. ... high suicide rate among victims of pedophiles, ... If it's a small jail with not enough manpower to watch ... other way to let something happen in prison. ...
    (alt.true-crime)
  • Re: Goodbye
    ... > willing to kill and incarcerate millions to keep their jobs. ... > I'll smoke pot if I want, and if I land in jail I'll be a burden on the ... > I am officially removing all advocacy websites, as, for example that of ... > And we cannot change minds that are a closed as those in Connecticut, ...
    (talk.politics.drugs)
  • Multiple IPs in Jail
    ... a couple lines in jls which didn't patch due to cosmetic changes (easily ... the jail environment had no problem with dns. ... and h_errno is set to 2 - Host name lookup failure. ...
    (freebsd-hackers)
  • Multiple IPs in Jail
    ... a couple lines in jls which didn't patch due to cosmetic changes (easily ... the jail environment had no problem with dns. ... and h_errno is set to 2 - Host name lookup failure. ...
    (freebsd-questions)