Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)



"Poul-Henning Kamp" <phk@xxxxxxxxxxxxxx> writes:
"Dag-Erling Smørgrav" <des@xxxxxx> writes:
Jason Hellenthal <jhell@xxxxxxxxxx> writes:
Do you know if there is a way that chmod on / from within the jail could
be prevented easily without breaking something ? Maybe not failing but
falling though and return 0 for any operation with the sole argument of /.
Not without adding explicit checks in the kernel.
I identified this issue back when I implemented jails and though long
and hard about adding a kernel hack to paste over this. [...] I
think we should stick to [Getty's rule] before adding more or less
random pieces of magic to the kernel.

I vote no as well, but for a different reason: there are many other
things the jailed root can do to the root directory, including flags,
extended attributes, etc. (some of which are fs-dependent), and it would
be difficult or impossible to identify all of them, not to mention those
that aren't yet possible but will be in the future. Fixing just one (or
two, or five) of them today might give users a false sense of security,
which is inexcusable when we can give a *true* sense of security by
telling them to "chmod 0700 $D/..".

DES
--
Dag-Erling Smørgrav - des@xxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • [UNIX] Flaws Found in Recent Linux Kernels (newgrp, symblinks)
    ... Flaws Found in Recent Linux Kernels (newgrp, ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can force the kernel to spend almost arbitrary amount of time ... script creates 5 symlinks, each of them containing 2*N+1 path elements. ...
    (Securiteam)
  • [UNIX] Linux Kernel File Offset Pointer Handling
    ... Get your security news from a reliable source. ... The Linux kernel offers a file handling API to the userland applications. ... One of the properties of the file object is something called 'file offset' ... about one page of un-initialized kernel memory and can be exploited to ...
    (Securiteam)
  • [UNIX] Kmail HTML Support Allows Spoofing of Emails Content
    ... Get your security news from a reliable source. ... system call handler in the 2.4 Linux Kernel on the AMD64 platform a local attacker can gain root access using a simple program. ... it contains the sources that the binary kernel rpm packages are created from. ... Since the kernel-source.rpm is an installable package that contains sources for the linux kernel, it is not the source RPM for the kernel RPM binary packages. ...
    (Securiteam)
  • Re: thoughts on kernel security issues
    ... major security figure and/or haven't donated your life to security and ... the developer and more focus on the development. ... That's pretty complex in terms of kernel code, ... > most of the extra patches that distribution kernels apply are patches ...
    (Linux-Kernel)
  • [UNIX] Grsecurity Allows Modifying of "read-only kernel"
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... local attackers to overwrite the memory content even though protection ... root will not be able to modify the contents of kernel ...
    (Securiteam)