Bug 156853
| Summary: | [patch] Update docs: jail(8) security issues with world-readable jail root | ||
|---|---|---|---|
| Product: | Documentation | Reporter: | Chris Rees <utisoft> |
| Component: | Books & Articles | Assignee: | freebsd-jail (Nobody) <jail> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Chris Rees
2011-05-06 21:50:13 UTC
Responsible Changed From-To: freebsd-ports-bugs->freebsd-doc reclassify Responsible Changed From-To: freebsd-doc->bcr Take this one. bcr 2011-05-08 12:11:22 UTC
FreeBSD doc repository
Modified files:
en_US.ISO8859-1/books/handbook/jails chapter.sgml
Log:
Jails have a problem in that if the jail directory is world-readable, an
attacker with root access to the jail can create a setuid binary for their
own use in the host environment (if they also have this access), thus
breaking root in the host.
This exploit is impossible if the jail's files are not world-readable.
Add instructions to the handbook on how to create a jail with the
correct permissions set.
PR: docs/156853
Submitted by: Chris Rees (utisoft at gmail dot com)
Reviewed by: cperciva (security parts)
Revision Changes Path
1.23 +13 -3 doc/en_US.ISO8859-1/books/handbook/jails/chapter.sgml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Author: bcr (doc committer) Date: Sun May 8 12:16:39 2011 New Revision: 221655 URL: http://svn.freebsd.org/changeset/base/221655 Log: Jails have a problem in that if the jail directory is world-readable, an attacker with root access to the jail can create a setuid binary for their own use in the host environment (if they also have this access), thus breaking root in the host. This exploit is impossible if the jail's files are not world-readable. Add instructions to the man page on how to create a jail with the correct permissions set. PR: docs/156853 Submitted by: Chris Rees (utisoft at gmail dot com) Reviewed by: cperciva (security parts) MFC after: 9 days Modified: head/usr.sbin/jail/jail.8 Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Sun May 8 12:16:39 2011 (r221654) +++ head/usr.sbin/jail/jail.8 Sun May 8 12:16:39 2011 (r221655) @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 17, 2010 +.Dd May 8, 2011 .Dt JAIL 8 .Os .Sh NAME @@ -431,7 +431,7 @@ command script can be used: .Bd -literal D=/here/is/the/jail cd /usr/src -mkdir -p $D +mkdir -p -m 0700 $D make world DESTDIR=$D make distribution DESTDIR=$D mount -t devfs devfs $D/dev @@ -448,6 +448,10 @@ in the per-jail devfs. A simple devfs ruleset for jails is available as ruleset #4 in .Pa /etc/defaults/devfs.rules . .Pp +Non-superusers in the host system should not be able to access the +jail's files; otherwise an attacker with root access to the jail +could obtain elevated privileges on the host. +.Pp In many cases this example would put far more in the jail than needed. In the other extreme case a jail might contain only one file: the executable to be run in the jail. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" State Changed From-To: open->patched Slightly modified versions of the patches were committed to their respective repositories. Set to 'patched' state until the MFC is done. State Changed From-To: patched->feedback We need to come up with a better solution for this and require input from various folks, so better set this to 'feedback'. OK, I've changed the instructions along the lines of what des@ suggested and added a warning about allowing root in the jail access to the host as well. New patches for the manpage [1] and Handbook [2]. Thanks! Chris [1] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_1.diff [2] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_1.diff Thanks for the input from kib@, bcr@, jilles@ and cperciva@ there's a new patch for each [1,2]. Chris [1] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_2.diff [2] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_2.diff On Wed, May 25, 2011 at 06:52:03PM +0100, Chris Rees wrote:
> Thanks for the input from kib@, bcr@, jilles@ and cperciva@ there's a
> new patch for each [1,2].
>
> Chris
>
> [1] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_2.diff
> [2] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_2.diff
Now you are referencing some unspecified "file descriptors" handling
issues that are present for nullfs but not for NFS. What are they ?
Please do not mention me in any way if the patches happen to land
in our repository.
BTW, do we also put such verbose wording somewhere for the "security"
issue of removing not writable / not owned files in the directory
writable by some user ?
On 05/25/11 17:18, Kostik Belousov wrote:
> BTW, do we also put such verbose wording somewhere for the "security"
> issue of removing not writable / not owned files in the directory
> writable by some user ?
Because this doesn't seem to be something people get confused by, at least
judging by the fact that secteam doesn't get any email about it. I assume
the bar for deciding when documentation ought to be expanded is something
along the line of "do people reading the existing documentation commonly
make mistakes".
--
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
On 26 May 2011 01:18, Kostik Belousov <kostikbel@gmail.com> wrote: > Now you are referencing some unspecified "file descriptors" handling > issues that are present for nullfs but not for NFS. What are they ? I referenced a conversation earlier: On 22 May 2011 20:32, Chris Rees <utisoft@gmail.com> wrote: > From IRC (I don't want to attribute without permission): > > user in jail1 passes fd to directory to user in jail2 > if these are disjoint jails, the kernel will not know to restrict the > process in jail2 to any jail base directory > (the process in jail2 will fchdir(fd), chdir("../../../../..")) > man 4 unix, /SCM_RIGHTS > though this is only an issue if one of the untrusted users can write Chris On Thu, May 26, 2011 at 08:32:08AM +0100, Chris Rees wrote: > I referenced a conversation earlier: How can you reference a private conversation in the public documentation ? Anyway, I was unable to make any sense of the referenced sentence, and I still cannot understand what the talk below is about. > On 22 May 2011 20:32, Chris Rees <utisoft@gmail.com> wrote: > > > From IRC (I don't want to attribute without permission): > > > > user in jail1 passes fd to directory to user in jail2 > > if these are disjoint jails, the kernel will not know to restrict the > > process in jail2 to any jail base directory > > (the process in jail2 will fchdir(fd), chdir("../../../../..")) > > man 4 unix, /SCM_RIGHTS > > though this is only an issue if one of the untrusted users can write > > > Chris On 24 July 2011 12:11, Benedict Reuschling <bcr@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Chris, > > I've been discussing with gjb@ whether the PR's solution below would fit > the one you submitted in docs/156853. Do you think we can modify it so > that it fits what you are trying to address? > > Regards > > Benedict > > > - -------- Original-Nachricht -------- > Betreff: Jail Escaping (Fwd: Re: docs/142341: commit references a PR) > Datum: Sat, 23 Jul 2011 23:42:46 -0400 > Von: Glen Barber <gjb@FreeBSD.org> > An: Benedict Reuschling <bcr@FreeBSD.org> > > FYI, for the PR assigned to you (which I have no yet caught up on ): > > > - -------- Original Message -------- > From: dfilter@FreeBSD.ORG (dfilter service) > Subject: Re: docs/142341: commit references a PR > Reply-To: dfilter@FreeBSD.ORG (dfilter service) > > The following reply was made to PR docs/142341; it has been noted by GNAT= S. > > From: dfilter@FreeBSD.ORG (dfilter service) > To: bug-followup@FreeBSD.org > Cc: > Subject: Re: docs/142341: commit references a PR > Date: Sun, 24 Jul 2011 03:34:48 +0000 (UTC) > > =A0Author: gjb (doc committer) > =A0Date: Sun Jul 24 03:34:38 2011 > =A0New Revision: 224286 > =A0URL: http://svn.freebsd.org/changeset/base/224286 > > =A0Log: > =A0 Document the potential for jail escape. > > =A0 Submitted by: =A0 =A0 =A0 =A0Vedad KAJTAZ (vedad % kajtaz net) > =A0 PR: =A0 =A0 =A0 =A0 =A0142341 > =A0 Reviewed by: bz, rwatson > =A0 Rewording by: =A0 =A0 =A0 =A0rwatson > =A0 Approved by: re (kensmith) > =A0 MFC after: =A0 3 days > > =A0Modified: > =A0 head/usr.sbin/jail/jail.8 > > =A0Modified: head/usr.sbin/jail/jail.8 > =A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > =A0--- head/usr.sbin/jail/jail.8 =A0Sun Jul 24 01:36:01 2011 =A0 =A0 =A0 = =A0(r224285) > =A0+++ head/usr.sbin/jail/jail.8 =A0Sun Jul 24 03:34:38 2011 =A0 =A0 =A0 = =A0(r224286) > =A0@@ -34,7 +34,7 @@ > =A0.\" > =A0.\" $FreeBSD$ > =A0.\" > =A0-.Dd January 17, 2010 > =A0+.Dd July 23, 2011 > =A0.Dt JAIL 8 > =A0.Os > =A0.Sh NAME > =A0@@ -907,3 +907,10 @@ Currently, the simplest answer is to min > =A0offered on the host, possibly limiting it to services offered from > =A0.Xr inetd 8 > =A0which is easily configurable. > =A0+.Sh NOTES > =A0+Great care should be taken when managing directories visible within > the jail. > =A0+For example, if a jailed process has its current working directory se= t > to a > =A0+directory that is moved out of the jail's chroot, then the process ma= y > gain > =A0+access to the file space outside of the jail. > =A0+It is recommended that directories always be copied, rather than > moved, out > =A0+of a jail. Hey Benedict, I think perhaps we could just relegate this to a note at the bottom, as suggested before by Konstantin. Something like: ... of a jail. +.Pp +It is also not recommended that users allowed root in the jail be allowed access to +the host system. +For example, a root user in a jail can create a setuid root utility that could be run in the +host system to achieve elevated privileges. ... Kostik, is this more agreeable for you? I do think that it's necessary to point out that jails are not a universal UNIX concept, and therefore perhaps it's not realistic for people to notice these 'obvious' problems. Chris On Sun, Jul 24, 2011 at 05:40:24PM +0100, Chris Rees wrote:
> On 24 July 2011 12:11, Benedict Reuschling <bcr@freebsd.org> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi Chris,
> >
> > I've been discussing with gjb@ whether the PR's solution below would fit
> > the one you submitted in docs/156853. Do you think we can modify it so
> > that it fits what you are trying to address?
> >
> > Regards
> >
> > Benedict
> >
> >
> > - -------- Original-Nachricht --------
> > Betreff: Jail Escaping (Fwd: Re: docs/142341: commit references a PR)
> > Datum: Sat, 23 Jul 2011 23:42:46 -0400
> > Von: Glen Barber <gjb@FreeBSD.org>
> > An: Benedict Reuschling <bcr@FreeBSD.org>
> >
> > FYI, for the PR assigned to you (which I have no yet caught up on ):
> >
> >
> > - -------- Original Message --------
> > From: dfilter@FreeBSD.ORG (dfilter service)
> > Subject: Re: docs/142341: commit references a PR
> > Reply-To: dfilter@FreeBSD.ORG (dfilter service)
> >
> > The following reply was made to PR docs/142341; it has been noted by GNATS.
> >
> > From: dfilter@FreeBSD.ORG (dfilter service)
> > To: bug-followup@FreeBSD.org
> > Cc:
> > Subject: Re: docs/142341: commit references a PR
> > Date: Sun, 24 Jul 2011 03:34:48 +0000 (UTC)
> >
> > Author: gjb (doc committer)
> > Date: Sun Jul 24 03:34:38 2011
> > New Revision: 224286
> > URL: http://svn.freebsd.org/changeset/base/224286
> >
> > Log:
> > Document the potential for jail escape.
> >
> > Submitted by: Vedad KAJTAZ (vedad % kajtaz net)
> > PR: 142341
> > Reviewed by: bz, rwatson
> > Rewording by: rwatson
> > Approved by: re (kensmith)
> > MFC after: 3 days
> >
> > Modified:
> > head/usr.sbin/jail/jail.8
> >
> > Modified: head/usr.sbin/jail/jail.8
> > ==============================================================================
> > --- head/usr.sbin/jail/jail.8 Sun Jul 24 01:36:01 2011 (r224285)
> > +++ head/usr.sbin/jail/jail.8 Sun Jul 24 03:34:38 2011 (r224286)
> > @@ -34,7 +34,7 @@
> > .\"
> > .\" $FreeBSD$
> > .\"
> > -.Dd January 17, 2010
> > +.Dd July 23, 2011
> > .Dt JAIL 8
> > .Os
> > .Sh NAME
> > @@ -907,3 +907,10 @@ Currently, the simplest answer is to min
> > offered on the host, possibly limiting it to services offered from
> > .Xr inetd 8
> > which is easily configurable.
> > +.Sh NOTES
> > +Great care should be taken when managing directories visible within
> > the jail.
> > +For example, if a jailed process has its current working directory set
> > to a
> > +directory that is moved out of the jail's chroot, then the process may
> > gain
> > +access to the file space outside of the jail.
> > +It is recommended that directories always be copied, rather than
> > moved, out
> > +of a jail.
>
> Hey Benedict,
>
> I think perhaps we could just relegate this to a note at the bottom,
> as suggested before by Konstantin.
>
> Something like:
>
> ...
> of a jail.
> +.Pp
> +It is also not recommended that users allowed root in the jail be
> allowed access to
> +the host system.
> +For example, a root user in a jail can create a setuid root utility
> that could be run in the
> +host system to achieve elevated privileges.
> ...
>
> Kostik, is this more agreeable for you? I do think that it's necessary
> to point out that jails are not a universal UNIX concept, and
> therefore perhaps it's not realistic for people to notice these
> 'obvious' problems.
This looks fine.
Thanks.
Author: bcr (doc committer) Date: Thu Jul 28 11:41:55 2011 New Revision: 224475 URL: http://svn.freebsd.org/changeset/base/224475 Log: Add a section to the jail chapter that explains why it is not recommended to allow root users in the jail to access the host system. PR: docs/156853 Submitted by: crees Patch by: crees Approved by: re (kib) for BETA1 Modified: head/usr.sbin/jail/jail.8 Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Thu Jul 28 10:16:30 2011 (r224474) +++ head/usr.sbin/jail/jail.8 Thu Jul 28 11:41:55 2011 (r224475) @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 23, 2011 +.Dd July 28, 2011 .Dt JAIL 8 .Os .Sh NAME @@ -914,3 +914,8 @@ directory that is moved out of the jail' access to the file space outside of the jail. It is recommended that directories always be copied, rather than moved, out of a jail. +.Pp +It is also not recommended that users allowed root in the jail be allowed +access to the host system. +For example, a root user in a jail can create a setuid root utility that +could be run in the host system to achieve elevated privileges. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" State Changed From-To: feedback->patched Are we going to MFC this too? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've reverted the patch. There is still a discussion going about how we should handle this. There are different viewpoints about what the basic philosophy is behind jails. The first sentence of your latest patch does seem to be preferred by most people involved, the second is more in dispute. Benedict -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5Ba/UACgkQTSZQLkqBk0jueACfT2yDIlc0z7INWKtYWSDA3gHJ tFoAn1h2ikHMyfslULuzuoAuERgB+/jl =IW1H -----END PGP SIGNATURE----- On 9 August 2011 18:18, Benedict Reuschling <bcr@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've reverted the patch. There is still a discussion going about how we > should handle this. There are different viewpoints about what the basic > philosophy is behind jails. The first sentence of your latest patch does > seem to be preferred by most people involved, the second is more in dispu= te. > > Benedict I'm _really_ sorry for bringing this up :P Thanks for looking after it. Chris --=20 Chris Rees =A0 =A0 =A0 =A0 =A0| FreeBSD Developer crees@FreeBSD.org =A0 | http://people.freebsd.org/~crees State Changed From-To: patched->open Reverted.... Responsible Changed From-To: bcr->freebsd-doc Drop this back into the pool, as I could not make much progress on it. The last discussion points revolved around the question whether jails are meant to be a security feature or for virtualization purposes. Maybe someone else can find a better solution, I'm not even sure that doc is the right category for this PR at the moment. Responsible Changed From-To: freebsd-doc->freebsd-jail What do you guys think of it? State Changed From-To: open->closed Closed by submitters request. The change r39566 of books/handbook/jails/chapter.sgml provided sufficient warning to solve the issue. |
