Re: Rooting FreeBSD , Privilege Escalation using Jails (P??????tur)



On Tue, 10 May 2011, Bakul Shah wrote:

Dumb question: the jail command can refuse to run unless the
parent of a jail root is 0700. Would that work? No kernel hack
required.

I do not think that this should be enforced in kernel, in the jail(8)
command nor anywhere else. UNIX rm(1) is not opening a pop-up window
asking "are you sure?" if you do "rm -rf /". The OS should not
impose arbitrary restrictions based on some random assumptions on
how a particular OS facility is going to be used.

I can easily think of several scenarios where such a restriction
would cause more trouble than benefit. One example: I might have
zero unprivileged users in the jail host (thus the restriction would
be unnecessary). I need to run a cron job in the jail host which
updates some data within the jails. I rather not do this as root
but instead use a separate non-root user for the purpose (as it is
generally a good practice to run everything as non-root unless it
is really necessary to be root). The proposed restriction would
defeat this possibility and force me to run all jail-related tasks
as root in the jail host, which might open it up to some other
potential security issues.

This should go in to the documentation as a recommendation for some
common jail use cases, but seriously, really not in the code, please.

In UNIX we do not want to prevent people from shooting themselves
in the foot. We should assume that the system administrator knows
what they want and should not restrict their freedom to do so.

Just my thoughts,
--
Janne Snabb / EPIPE Communications
snabb@xxxxxxxxx - http://epipe.com/
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: getaffinity/setaffinity and cpu sets.
    ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... One place I'd like to implement CPU affinity is in the Sun Grid Engine ...
    (freebsd-arch)
  • Re: getaffinity/setaffinity and cpu sets.
    ... The notion would be that you can create a new numbered cpuset with cpuset. ... You can modify or inspect its affinity with get/setaffinity above and the CPU_WHICH_SET argument. ... This set would not be modifiable by user processes or by processes in a jail. ... Another option would be to expel the offending thread from the set that is in violation and reparent it to the real system root along with a syslog message or similar. ...
    (freebsd-arch)
  • Re: getaffinity/setaffinity and cpu sets.
    ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... be allocated a set of cpus that they can't change, ...
    (freebsd-arch)
  • Re: chroot versus jail for the name daemon
    ... > assuming named is running as user and group bind (rather than as root)? ... > 3) What happens if named is broken while in a jail, ... That means an attacker can set things up so ...
    (freebsd-questions)
  • Re: jail() House Rock
    ... Think carefully about exactly what kind of privileges your clients get. ... normal user account on the main server, and root inside the jail. ...
    (FreeBSD-Security)