freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped completely
no@spam@mgEDV.net
nospam at mgedv.net
Sun Dec 7 02:03:32 UTC 2014
hi guys,
as the "real" application faces the same problems, i created a test
jail on a clean box just to check the behaviour using "/usr/bin/id".
problem description (hopefully i nailed it):
if a jailed process needs any .so for startup, the path to those *.so
needs to be world r-x, although the GID of the jail execute user
is allowed to r/x the dirs, where the *.so files are to be found.
there could be (ordering) errors with SET(e)GID in jail_* functions,
because it works as expected when prefixing with "chroot -g test /".
the EGID is dropped to the jail user's gid, but the GID is still 0!
we end up with a jailed proc (UID=999, GID=0), which of course is
not allowed to access the dirs for the *.so's to be loaded by exec.
[see end of message for setup details]
=== the symptom ===
/jail# /jail/a.sh
Shared object "libbsm.so.3" not found, required by "id"
jail: /bin/id: failed
=== details from truss ===
619: access("/lib/libbsm.so.3",0) ERR#13 'Permission denied'
619: access("/usr/lib/libbsm.so.3",0) ERR#13 'Permission denied'
=== some UID/GID details from kdump ===
/jail# grep -i '[g|s]et.*id' jail.kdump
64746 100091 jail CALL issetugid
64746 100091 jail RET issetugid 0
64746 100091 jail CALL issetugid
64746 100091 jail RET issetugid 0
64747 100093 jail CALL geteuid
64747 100093 jail RET geteuid 0
64747 100093 jail CALL setuid(0x3e7)
64747 100093 jail RET setuid 0
64747 100093 jail CALL getuid
64747 100093 jail RET getuid 999/0x3e7
64747 100093 jail CALL geteuid
64747 100093 jail RET geteuid 999/0x3e7
64747 100093 jail CALL getegid
64747 100093 jail RET getegid 999/0x3e7
64747 100093 jail CALL setegid(0x3e7)
64747 100093 jail RET setegid -1 errno 1 Operation not permitted
64747 100093 jail CALL seteuid(0x3e7)
64747 100093 jail RET seteuid 0
64747 100093 jail CALL seteuid(0x3e7)
64747 100093 jail RET seteuid 0
64747 100093 jail CALL setegid(0x3e7)
64747 100093 jail RET setegid -1 errno 1 Operation not permitted
64747 100093 id CALL issetugid
64747 100093 id RET issetugid 1
=== proof 1: chroot fixes the jail .so load problem ===
# outside the jail - just to know what's changing:
/jail# chroot -g test / id
uid=0(root) gid=0(wheel) egid=999(test) groups=999(test),5(operator)
# inside the jail - this is our "fix":
/jail# chroot -g test / /jail/a.sh
uid=999 gid=999(test) groups=999(test)
=== proof 2: chmod fixes *.so load, but GID=0 here! ===
if i chmod the jail homedir and jail's lib dir, it works:
/jail# chmod a+rx /jail /jail/lib
/jail# ./a.sh
uid=999 gid=0(wheel) egid=999(test) groups=999(test)
user and group names are read fine from the jailed "id",
although the file perms are as listed beyond.
is this a bug or am i missing something?
any help/info/enlightenment appreciated ;-)
[just reply to the list, i'm on it]
==== CONFIG (tested 3 different times with GENERIC and a CUSTOM kernel):
LiveCD install source: FreeBSD-10.1-RELEASE-amd64-disc1.iso
sha256: 0c3d64ce48c3ef761761d0fea07e1935e296f8c045c249118bc91a7faf053a6b
fresh install on 2 different ESXi 5.5 hosts and a 3rd physical PC.
only base.tgz+kernel.tgz or liveCD, tried on UFS2 (gpt) and tmpfs.
i used the www user and tmpfs on the liveCD, but everything else was the
same.
=== the test user ===
/jail# id -P test
test:*:999:999::0:0:User &:/home/test:/bin/sh
=== the jail (before the mentioned chmod) ===
/jail# ls -Ralo
total 68
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 .
drwxr-xr-x 19 root wheel - 512 Dec 7 00:06 ..
-rwx------ 1 root test - 773 Dec 7 01:00 a.sh
dr-xr-x--- 2 root test - 512 Dec 6 23:58 bin
drwxr-x--- 2 root test - 512 Dec 7 01:01 etc
-rw-r----- 1 root test - 37157 Dec 7 01:02 jail.truss
dr-xr-xr-x 2 root test - 512 Dec 6 23:59 lib
dr-xr-x--- 2 root test - 512 Dec 7 00:00 libexec
./bin:
total 24
dr-xr-x--- 2 root test - 512 Dec 6 23:58 .
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 ..
-r-xr-x--- 1 root test - 12432 Nov 11 22:03 id
./etc:
total 60
drwxr-x--- 2 root test - 512 Dec 7 01:01 .
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 ..
-rw-r----- 1 root test - 473 Dec 7 00:04 group
-rw-r----- 1 root test - 321 Dec 7 01:01 nsswitch.conf
-rw-r----- 1 root test - 1570 Dec 7 00:27 passwd
-rw------- 1 root test - 40960 Dec 7 00:27 spwd.db
./lib:
total 1744
dr-xr-xr-x 2 root test - 512 Dec 6 23:59 .
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 ..
-r--r----- 1 root test - 106264 Nov 11 22:03 libbsm.so.3
-r--r----- 1 root test - 1631216 Nov 11 22:03 libc.so.7
./libexec:
total 124
dr-xr-x--- 2 root test - 512 Dec 7 00:00 .
dr-xr-xr-x 6 root test - 512 Dec 7 01:02 ..
-r-xr-x--- 1 root test - 118520 Nov 11 22:03 ld-elf.so.1
=== the start command ====
/jail# cat a.sh
umask 027;
rm -f /jail/jail.truss /jail/jail.kdump /jail/jail.ktrace
#/usr/bin/truss -f -e -a -o /jail/jail.truss -s 1000 \
ktrace -d -f /jail/jail.ktrace -i -t cinpstuy \
jail -c jid=1 \
name=test \
path=/jail \
ip4.addr=1.1.1.1 \
host.hostuuid=c91e438a-1a44-4b7e-8732-0441ca9e2b97 \
host.hostid=6146666201 \
allow.sysvipc=0 \
allow.raw_sockets=0 \
exec.jail_user=test \
exec.system_user=test \
exec.system_jail_user=true \
host.hostname=test \
host.domainname=test.me \
allow.set_hostname=0 \
allow.chflags=0 \
allow.mount=0 \
allow.quotas=0 \
allow.socket_af=0 \
enforce_statfs=2 \
ip4=new \
ip6=disable \
command=/bin/id \
kdump -H -f /jail/jail.ktrace >/jail/jail.kdump
=== EOM ===
More information about the freebsd-questions
mailing list