Bug 55568

Summary: DUMP can be used in JAIL
Product: Base System Reporter: mjoyner <mjoyner>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 5.1-RELEASE   
Hardware: Any   
OS: Any   

Description mjoyner 2003-08-14 02:10:18 UTC 
         A jailed root user can use DUMP and gain a snapshot of the
entire disk.
         From there the jailed root user can restore files from the HOST
SYSTEM
         or any other jails at their leisure.

         Even if DEVFS is not mounted, a root user could possibly create a
         device node anyways, and one needs TTYS anyways.

         Some sort of check is not occurring in the disk access code that
         is needed to prevent JAILED users ANY raw access to the disk.

Fix: 

Add security checks on device access to prevent jailed users
         from gaining access to things they don't need access to.

         If this is a setting which can be changed, the default behavior
         needs to be more security conscious, or at least very very very
         clearly documented.
How-To-Repeat:          Run DUMP in a jailed environment.
Comment 1 Kris Kennaway 2003-10-08 23:23:02 UTC 
On Wed, Aug 13, 2003 at 09:04:06PM -0400, mjoyner wrote:

>          A jailed root user can use DUMP and gain a snapshot of the
> entire disk.
>          From there the jailed root user can restore files from the HOST
> SYSTEM
>          or any other jails at their leisure.

Only if the administrator has configured the jail with the raw disk
devices.  As you note, this is a security risk.

>          Even if DEVFS is not mounted, a root user could possibly create a
>          device node anyways, and one needs TTYS anyways.

I believe this to be untrue.  root cannot make device nodes once
inside a jail.

Kris
Comment 2 Kris Kennaway freebsd_committer freebsd_triage 2003-10-08 23:23:07 UTC 
State Changed
From-To: open->analyzed

This looks like expected behaviour.
Comment 3 mjoyner 2003-10-09 04:33:50 UTC 
Where would one find documentation to prevent the jailed user from being 
able to dump the raw partition(s)?

Kris Kennaway wrote:
> On Wed, Aug 13, 2003 at 09:04:06PM -0400, mjoyner wrote:
> 
> 
>>         A jailed root user can use DUMP and gain a snapshot of the
>>entire disk.
>>         From there the jailed root user can restore files from the HOST
>>SYSTEM
>>         or any other jails at their leisure.
> 
> 
> Only if the administrator has configured the jail with the raw disk
> devices.  As you note, this is a security risk.
> 
> 
>>         Even if DEVFS is not mounted, a root user could possibly create a
>>         device node anyways, and one needs TTYS anyways.
> 
> 
> I believe this to be untrue.  root cannot make device nodes once
> inside a jail.
> 
> Kris
Comment 4 Kris Kennaway 2003-10-09 04:52:38 UTC 
On Wed, Oct 08, 2003 at 11:33:50PM -0400, mjoyner wrote:
> Where would one find documentation to prevent the jailed user from being 
> able to dump the raw partition(s)?


jails containing untrusted root users should only contain a minimum
set of device nodes (the exact list would depend on what you want to
do with the jail).  This is documented in the manpage.


Kris
Comment 5 Kris Kennaway freebsd_committer freebsd_triage 2003-10-17 07:26:25 UTC 
State Changed
From-To: analyzed->closed

Pointed submitter to the documentation about this feature.