Bug 142341

Summary: jail(8): Jail escape when cwd is moved from the host system
Product: Documentation Reporter: vedad
Component: Books & ArticlesAssignee: Glen Barber <gjb>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description vedad 2010-01-05 09:40:02 UTC 
Given the following setup:

- A host system
- A jail system located in /usr/local/jails/J1 on the host system 
- A shell open in the jail system, with cwd set to /some/path (therefore,
  /usr/local/jails/J1/some/path on the host system).

When the root moves the /usr/local/jails/J1/some/path folder somewhere
else (say in /usr/local/jails/J2/some/path), the jail shell (as any other
jail process) in no longer rooted and has access to the whole filesystem
on the host.

Though this is not a common situation, it may happen (and did happen to me).

Best regards,

Fix: 

None known
How-To-Repeat: Always repeatable
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2010-01-05 16:44:47 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-jail

Over to maintainer(s).
Comment 2 Bjoern A. Zeeb freebsd_committer freebsd_triage 2010-01-05 19:36:36 UTC 
Hi,

this is the expected behaviour but is probably not explicitly
documented.  Patches to update the man page are welcome.

-- 
Bjoern A. Zeeb         It will not break if you know what you are doing.
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2010-01-05 20:52:25 UTC 
State Changed
From-To: open->analyzed

Apparently this is the expected behavior and just needs to be documented.
Comment 4 Mark Linimon freebsd_committer freebsd_triage 2010-01-05 20:52:25 UTC 
Responsible Changed
From-To: freebsd-jail->freebsd-doc
Comment 5 Glen Barber freebsd_committer freebsd_triage 2011-07-17 22:31:28 UTC 
Responsible Changed
From-To: freebsd-doc->gjb

Over to me.
Comment 6 Benedict Reuschling freebsd_committer freebsd_triage 2011-07-18 20:49:07 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This might be similar to the following PR:

http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/156853

Although the problems are different, they basically deal with the fact
that it is possible to break the out of the jail into the host system.
See the audit trail for a discussion. When a solution is found (with all
parties involved and happy with it), both PRs should be handled the same
way.

Regards

Benedict Reuschling
FreeBSD Doc Committer

The FreeBSD Documentation Project
FreeBSD German Documentation Project - https://doc.bsdgroup.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4kjigACgkQTSZQLkqBk0goowCguv3imA9tYGPe75rAscdx1kYu
dNgAoLYPiHsSn/yZRAGqQcuXwGeqd1DR
=yZ+w
-----END PGP SIGNATURE-----
Comment 7 dfilter service freebsd_committer freebsd_triage 2011-07-24 04:34:48 UTC 
Author: gjb (doc committer)
Date: Sun Jul 24 03:34:38 2011
New Revision: 224286
URL: http://svn.freebsd.org/changeset/base/224286

Log:
  Document the potential for jail escape.
  
  Submitted by:	Vedad KAJTAZ (vedad % kajtaz net)
  PR:		142341
  Reviewed by:	bz, rwatson
  Rewording by:	rwatson
  Approved by:	re (kensmith)
  MFC after:	3 days

Modified:
  head/usr.sbin/jail/jail.8

Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8	Sun Jul 24 01:36:01 2011	(r224285)
+++ head/usr.sbin/jail/jail.8	Sun Jul 24 03:34:38 2011	(r224286)
@@ -34,7 +34,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 17, 2010
+.Dd July 23, 2011
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -907,3 +907,10 @@ Currently, the simplest answer is to min
 offered on the host, possibly limiting it to services offered from
 .Xr inetd 8
 which is easily configurable.
+.Sh NOTES
+Great care should be taken when managing directories visible within the jail.
+For example, if a jailed process has its current working directory set to a
+directory that is moved out of the jail's chroot, then the process may gain
+access to the file space outside of the jail.
+It is recommended that directories always be copied, rather than moved, out
+of a jail.
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 8 Glen Barber freebsd_committer freebsd_triage 2011-07-24 04:36:03 UTC 
State Changed
From-To: analyzed->patched

Committed a fix to HEAD (r224286).  MFC in 3 days.
Comment 9 dfilter service freebsd_committer freebsd_triage 2011-07-27 02:57:11 UTC 
Author: gjb (doc committer)
Date: Wed Jul 27 01:56:52 2011
New Revision: 224462
URL: http://svn.freebsd.org/changeset/base/224462

Log:
  MFC 224286:
  
  Document the potential for jail escape.
  
  PR:		142341

Modified:
  stable/8/usr.sbin/jail/jail.8
Directory Properties:
  stable/8/usr.sbin/jail/   (props changed)

Modified: stable/8/usr.sbin/jail/jail.8
==============================================================================
--- stable/8/usr.sbin/jail/jail.8	Tue Jul 26 20:51:58 2011	(r224461)
+++ stable/8/usr.sbin/jail/jail.8	Wed Jul 27 01:56:52 2011	(r224462)
@@ -34,7 +34,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 17, 2010
+.Dd July 23, 2011
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -913,3 +913,10 @@ Currently, the simplest answer is to min
 offered on the host, possibly limiting it to services offered from
 .Xr inetd 8
 which is easily configurable.
+.Sh NOTES
+Great care should be taken when managing directories visible within the jail.
+For example, if a jailed process has its current working directory set to a
+directory that is moved out of the jail's chroot, then the process may gain
+access to the file space outside of the jail.
+It is recommended that directories always be copied, rather than moved, out
+of a jail.
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 10 dfilter service freebsd_committer freebsd_triage 2011-07-27 02:57:51 UTC 
Author: gjb (doc committer)
Date: Wed Jul 27 01:57:24 2011
New Revision: 224463
URL: http://svn.freebsd.org/changeset/base/224463

Log:
  MFC 224286:
  
  Document the potential for jail escape.
  
  PR:		142341

Modified:
  stable/7/usr.sbin/jail/jail.8
Directory Properties:
  stable/7/usr.sbin/jail/   (props changed)

Modified: stable/7/usr.sbin/jail/jail.8
==============================================================================
--- stable/7/usr.sbin/jail/jail.8	Wed Jul 27 01:56:52 2011	(r224462)
+++ stable/7/usr.sbin/jail/jail.8	Wed Jul 27 01:57:24 2011	(r224463)
@@ -33,7 +33,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 17, 2010
+.Dd July 23, 2011
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -708,3 +708,10 @@ Currently, the simplest answer is to min
 offered on the host, possibly limiting it to services offered from
 .Xr inetd 8
 which is easily configurable.
+.Sh NOTES
+Great care should be taken when managing directories visible within the jail.
+For example, if a jailed process has its current working directory set to a
+directory that is moved out of the jail's chroot, then the process may gain
+access to the file space outside of the jail.
+It is recommended that directories always be copied, rather than moved, out
+of a jail.
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 11 Glen Barber freebsd_committer freebsd_triage 2011-07-27 02:59:45 UTC 
State Changed
From-To: patched->closed

Merged to 7-stable and 8-stable.