FreeBSD Bugzilla – Attachment 150594 Details for
Bug 195984
[jail] security bug in jail utility: setgid missing/fails during creation
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
jail setgid bug analysis and reproduce steps
jail_setgid_bug.txt (text/plain), 5.96 KB, created by
no@spam
on 2014-12-15 01:24:51 UTC
(
hide
)
Description:
jail setgid bug analysis and reproduce steps
Filename:
MIME Type:
Creator:
no@spam
Created:
2014-12-15 01:24:51 UTC
Size:
5.96 KB
patch
obsolete
>hi guys, > >as the "real" application faces the same problems, i created a test >jail on a clean box just to check the behaviour using "/usr/bin/id". > >problem description (hopefully i nailed it): >if a jailed process needs any .so for startup, the path to those *.so >needs to be world r-x, although the GID of the jail execute user >is allowed to r/x the dirs, where the *.so files are to be found. >there could be (ordering) errors with SET(e)GID in jail_* functions, >because it works as expected when prefixing with "chroot -g test /". >the EGID is dropped to the jail user's gid, but the GID is still 0! >we end up with a jailed proc (UID=999, GID=0), which of course is >not allowed to access the dirs for the *.so's to be loaded by exec. >[see end of message for setup details] > >=== the symptom === >/jail# /jail/a.sh >Shared object "libbsm.so.3" not found, required by "id" >jail: /bin/id: failed > >=== details from truss === > 619: access("/lib/libbsm.so.3",0) ERR#13 'Permission denied' > 619: access("/usr/lib/libbsm.so.3",0) ERR#13 'Permission denied' > >=== some UID/GID details from kdump === >/jail# grep -i '[g|s]et.*id' jail.kdump >64746 100091 jail CALL issetugid >64746 100091 jail RET issetugid 0 >64746 100091 jail CALL issetugid >64746 100091 jail RET issetugid 0 >64747 100093 jail CALL geteuid >64747 100093 jail RET geteuid 0 >64747 100093 jail CALL setuid(0x3e7) >64747 100093 jail RET setuid 0 >64747 100093 jail CALL getuid >64747 100093 jail RET getuid 999/0x3e7 >64747 100093 jail CALL geteuid >64747 100093 jail RET geteuid 999/0x3e7 >64747 100093 jail CALL getegid >64747 100093 jail RET getegid 999/0x3e7 >64747 100093 jail CALL setegid(0x3e7) >64747 100093 jail RET setegid -1 errno 1 Operation not permitted >64747 100093 jail CALL seteuid(0x3e7) >64747 100093 jail RET seteuid 0 >64747 100093 jail CALL seteuid(0x3e7) >64747 100093 jail RET seteuid 0 >64747 100093 jail CALL setegid(0x3e7) >64747 100093 jail RET setegid -1 errno 1 Operation not permitted >64747 100093 id CALL issetugid >64747 100093 id RET issetugid 1 > >=== proof 1: chroot fixes the jail .so load problem === ># outside the jail - just to know what's changing: >/jail# chroot -g test / id >uid=0(root) gid=0(wheel) egid=999(test) groups=999(test),5(operator) ># inside the jail - this is our "fix": >/jail# chroot -g test / /jail/a.sh >uid=999 gid=999(test) groups=999(test) > >=== proof 2: chmod fixes *.so load, but GID=0 here! === >if i chmod the jail homedir and jail's lib dir, it works: >/jail# chmod a+rx /jail /jail/lib >/jail# ./a.sh >uid=999 gid=0(wheel) egid=999(test) groups=999(test) > >user and group names are read fine from the jailed "id", >although the file perms are as listed beyond. > >is this a bug or am i missing something? >any help/info/enlightenment appreciated ;-) >[just reply to the list, i'm on it] > > >==== CONFIG (tested 3 different times with GENERIC and a CUSTOM kernel): >LiveCD install source: FreeBSD-10.1-RELEASE-amd64-disc1.iso >sha256: 0c3d64ce48c3ef761761d0fea07e1935e296f8c045c249118bc91a7faf053a6b >fresh install on 2 different ESXi 5.5 hosts and a 3rd physical PC. >only base.tgz+kernel.tgz or liveCD, tried on UFS2 (gpt) and tmpfs. >i used the www user and tmpfs on the liveCD, but everything else was the same. > >=== the test user === >/jail# id -P test >test:*:999:999::0:0:User &:/home/test:/bin/sh > >=== the jail (before the mentioned chmod) === >/jail# ls -Ralo >total 68 >dr-xr-xr-x 6 root test - 512 Dec 7 01:02 . >drwxr-xr-x 19 root wheel - 512 Dec 7 00:06 .. >-rwx------ 1 root test - 773 Dec 7 01:00 a.sh >dr-xr-x--- 2 root test - 512 Dec 6 23:58 bin >drwxr-x--- 2 root test - 512 Dec 7 01:01 etc >-rw-r----- 1 root test - 37157 Dec 7 01:02 jail.truss >dr-xr-xr-x 2 root test - 512 Dec 6 23:59 lib >dr-xr-x--- 2 root test - 512 Dec 7 00:00 libexec > >./bin: >total 24 >dr-xr-x--- 2 root test - 512 Dec 6 23:58 . >dr-xr-xr-x 6 root test - 512 Dec 7 01:02 .. >-r-xr-x--- 1 root test - 12432 Nov 11 22:03 id > >./etc: >total 60 >drwxr-x--- 2 root test - 512 Dec 7 01:01 . >dr-xr-xr-x 6 root test - 512 Dec 7 01:02 .. >-rw-r----- 1 root test - 473 Dec 7 00:04 group >-rw-r----- 1 root test - 321 Dec 7 01:01 nsswitch.conf >-rw-r----- 1 root test - 1570 Dec 7 00:27 passwd >-rw------- 1 root test - 40960 Dec 7 00:27 spwd.db > >./lib: >total 1744 >dr-xr-xr-x 2 root test - 512 Dec 6 23:59 . >dr-xr-xr-x 6 root test - 512 Dec 7 01:02 .. >-r--r----- 1 root test - 106264 Nov 11 22:03 libbsm.so.3 >-r--r----- 1 root test - 1631216 Nov 11 22:03 libc.so.7 > >./libexec: >total 124 >dr-xr-x--- 2 root test - 512 Dec 7 00:00 . >dr-xr-xr-x 6 root test - 512 Dec 7 01:02 .. >-r-xr-x--- 1 root test - 118520 Nov 11 22:03 ld-elf.so.1 > > >=== the start command ==== >/jail# cat a.sh > >umask 027; >rm -f /jail/jail.truss /jail/jail.kdump /jail/jail.ktrace > >#/usr/bin/truss -f -e -a -o /jail/jail.truss -s 1000 \ >ktrace -d -f /jail/jail.ktrace -i -t cinpstuy \ >jail -c jid=1 \ >name=test \ >path=/jail \ >ip4.addr=1.1.1.1 \ >host.hostuuid=c91e438a-1a44-4b7e-8732-0441ca9e2b97 \ >host.hostid=6146666201 \ >allow.sysvipc=0 \ >allow.raw_sockets=0 \ >exec.jail_user=test \ >exec.system_user=test \ >exec.system_jail_user=true \ >host.hostname=test \ >host.domainname=test.me \ >allow.set_hostname=0 \ >allow.chflags=0 \ >allow.mount=0 \ >allow.quotas=0 \ >allow.socket_af=0 \ >enforce_statfs=2 \ >ip4=new \ >ip6=disable \ >command=/bin/id \ > >kdump -H -f /jail/jail.ktrace >/jail/jail.kdump > >=== EOM === >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=150594">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 195984
: 150594 |
150650