Re: Escaping from a jail with root privileges on the host



[minus -stable]

On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote:

Hello,

Today I've managed to escape from a jail by accident and ended up with
root access to the host's filesystem.

Here's what I did:

* Using ezjail for managing my jails
* Verified in FreeBSD 9.0-BETA3 and 9.0-RC3
* This works only when I use sudo, and cannot reproduce if I execute
everything as root

I cannot see how the use of sudo would be relevant -- the fundametal issue merely requires the vnode of the directory in question to be moved (not copied) past the jail's root vnode. Could you give a bit more detail about how you came to believe that sudo is necessary?

-Ben Kaduk
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: getaffinity/setaffinity and cpu sets.
    ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... One place I'd like to implement CPU affinity is in the Sun Grid Engine ...
    (freebsd-arch)
  • Re: getaffinity/setaffinity and cpu sets.
    ... The notion would be that you can create a new numbered cpuset with cpuset. ... You can modify or inspect its affinity with get/setaffinity above and the CPU_WHICH_SET argument. ... This set would not be modifiable by user processes or by processes in a jail. ... Another option would be to expel the offending thread from the set that is in violation and reparent it to the real system root along with a syslog message or similar. ...
    (freebsd-arch)
  • Re: getaffinity/setaffinity and cpu sets.
    ... created in a jail such that you know whether they can be changed in a ... This anonymous set will also be inherited across fork/thread ... In this model presently there are nodes marked as root. ... be allocated a set of cpus that they can't change, ...
    (freebsd-arch)
  • Re: Escaping from a jail with root privileges on the host
    ... root access to the host's filesystem. ... I cannot see how the use of sudo would be relevant -- the fundametal issue ... does not result in jail getting access to the host's fs ...
    (FreeBSD-Security)
  • Re: chroot versus jail for the name daemon
    ... > assuming named is running as user and group bind (rather than as root)? ... > 3) What happens if named is broken while in a jail, ... That means an attacker can set things up so ...
    (freebsd-questions)