misc/187307: Security vulnerability with FreeBSD Jail
Tom Evans
tevans.uk at googlemail.com
Thu Mar 6 02:13:59 UTC 2014
On Wed, Mar 5, 2014 at 11:39 PM, Xin Li <delphij at delphij.net> wrote:
> This is NOT a problem with jail. For starters, it's very bad idea to
> give out host shell account, privileged or not, to jail users if they
> are not trusted. Let's consider this scenario:
>
> jail$ su -l
> jail# cp /usr/bin/less /bin/root_shell
> jail# chown root:wheel /bin/root_shell
> jail# chmod 6555 /bin/root_shell
> jail# logout
> jail$ logout
>
> Then, you basically have a setuid binary that can be reached from host
> system. As an attacker I would do:
>
> host$ /path/to/jail/bin/root_shell
> #
>
As a defender I would hope that someone has already done:
host# chmod 700 /path/to
You're right though, jail users have no business on the host.
Cheers
Tom
More information about the freebsd-security
mailing list