I brought this problem up on freebsd-security two years ago [1], and promptly forgot about it, but then another person [2] has brought it up again... Jails have a problem in that if the jail directory is world-readable, an attacker with root access to the jail can create a setuid binary for their own use in the host environment (if they also have this access), thus breaking root in the host. [1] http://freebsd.1045724.n5.nabble.com/Thoughts-on-jail-privilege-FAQ-submission-td4219099.html [2] http://lists.freebsd.org/pipermail/freebsd-security/2011-May/005886.html Fix: No fix, but precautions can be taken; this exploit is impossible if the jail's files are not world-readable. Docs patches for the Handbook [3] and for the jail(8) manpage [4] are provided. - Advise 0700 permissions for jail root directory to stop various exploits Patch submitted by: Chris Rees (utisoft@gmail.com) Discovered by: Chris Rees (utisoft@gmail.com) and Pétur Ingi Egilsson (petur@petur.eu) [3] http://www.bayofrum.net/~crees/patches/jail-secure-handbook.diff [4] http://www.bayofrum.net/~crees/patches/jail-secure-manpage.diff How-To-Repeat: Follow instructions in the Handbook or jail(8) manpage, create a setuid binary inside the jail as root, and run it as unprivileged user in the host.
Responsible Changed From-To: freebsd-ports-bugs->freebsd-doc reclassify
Responsible Changed From-To: freebsd-doc->bcr Take this one.
bcr 2011-05-08 12:11:22 UTC FreeBSD doc repository Modified files: en_US.ISO8859-1/books/handbook/jails chapter.sgml Log: Jails have a problem in that if the jail directory is world-readable, an attacker with root access to the jail can create a setuid binary for their own use in the host environment (if they also have this access), thus breaking root in the host. This exploit is impossible if the jail's files are not world-readable. Add instructions to the handbook on how to create a jail with the correct permissions set. PR: docs/156853 Submitted by: Chris Rees (utisoft at gmail dot com) Reviewed by: cperciva (security parts) Revision Changes Path 1.23 +13 -3 doc/en_US.ISO8859-1/books/handbook/jails/chapter.sgml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Author: bcr (doc committer) Date: Sun May 8 12:16:39 2011 New Revision: 221655 URL: http://svn.freebsd.org/changeset/base/221655 Log: Jails have a problem in that if the jail directory is world-readable, an attacker with root access to the jail can create a setuid binary for their own use in the host environment (if they also have this access), thus breaking root in the host. This exploit is impossible if the jail's files are not world-readable. Add instructions to the man page on how to create a jail with the correct permissions set. PR: docs/156853 Submitted by: Chris Rees (utisoft at gmail dot com) Reviewed by: cperciva (security parts) MFC after: 9 days Modified: head/usr.sbin/jail/jail.8 Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Sun May 8 12:16:39 2011 (r221654) +++ head/usr.sbin/jail/jail.8 Sun May 8 12:16:39 2011 (r221655) @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 17, 2010 +.Dd May 8, 2011 .Dt JAIL 8 .Os .Sh NAME @@ -431,7 +431,7 @@ command script can be used: .Bd -literal D=/here/is/the/jail cd /usr/src -mkdir -p $D +mkdir -p -m 0700 $D make world DESTDIR=$D make distribution DESTDIR=$D mount -t devfs devfs $D/dev @@ -448,6 +448,10 @@ in the per-jail devfs. A simple devfs ruleset for jails is available as ruleset #4 in .Pa /etc/defaults/devfs.rules . .Pp +Non-superusers in the host system should not be able to access the +jail's files; otherwise an attacker with root access to the jail +could obtain elevated privileges on the host. +.Pp In many cases this example would put far more in the jail than needed. In the other extreme case a jail might contain only one file: the executable to be run in the jail. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched Slightly modified versions of the patches were committed to their respective repositories. Set to 'patched' state until the MFC is done.
State Changed From-To: patched->feedback We need to come up with a better solution for this and require input from various folks, so better set this to 'feedback'.
OK, I've changed the instructions along the lines of what des@ suggested and added a warning about allowing root in the jail access to the host as well. New patches for the manpage [1] and Handbook [2]. Thanks! Chris [1] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_1.diff [2] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_1.diff
Thanks for the input from kib@, bcr@, jilles@ and cperciva@ there's a new patch for each [1,2]. Chris [1] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_2.diff [2] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_2.diff
On Wed, May 25, 2011 at 06:52:03PM +0100, Chris Rees wrote: > Thanks for the input from kib@, bcr@, jilles@ and cperciva@ there's a > new patch for each [1,2]. > > Chris > > [1] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_2.diff > [2] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_2.diff Now you are referencing some unspecified "file descriptors" handling issues that are present for nullfs but not for NFS. What are they ? Please do not mention me in any way if the patches happen to land in our repository. BTW, do we also put such verbose wording somewhere for the "security" issue of removing not writable / not owned files in the directory writable by some user ?
On 05/25/11 17:18, Kostik Belousov wrote: > BTW, do we also put such verbose wording somewhere for the "security" > issue of removing not writable / not owned files in the directory > writable by some user ? Because this doesn't seem to be something people get confused by, at least judging by the fact that secteam doesn't get any email about it. I assume the bar for deciding when documentation ought to be expanded is something along the line of "do people reading the existing documentation commonly make mistakes". -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
On 26 May 2011 01:18, Kostik Belousov <kostikbel@gmail.com> wrote: > Now you are referencing some unspecified "file descriptors" handling > issues that are present for nullfs but not for NFS. What are they ? I referenced a conversation earlier: On 22 May 2011 20:32, Chris Rees <utisoft@gmail.com> wrote: > From IRC (I don't want to attribute without permission): > > user in jail1 passes fd to directory to user in jail2 > if these are disjoint jails, the kernel will not know to restrict the > process in jail2 to any jail base directory > (the process in jail2 will fchdir(fd), chdir("../../../../..")) > man 4 unix, /SCM_RIGHTS > though this is only an issue if one of the untrusted users can write Chris
On Thu, May 26, 2011 at 08:32:08AM +0100, Chris Rees wrote: > I referenced a conversation earlier: How can you reference a private conversation in the public documentation ? Anyway, I was unable to make any sense of the referenced sentence, and I still cannot understand what the talk below is about. > On 22 May 2011 20:32, Chris Rees <utisoft@gmail.com> wrote: > > > From IRC (I don't want to attribute without permission): > > > > user in jail1 passes fd to directory to user in jail2 > > if these are disjoint jails, the kernel will not know to restrict the > > process in jail2 to any jail base directory > > (the process in jail2 will fchdir(fd), chdir("../../../../..")) > > man 4 unix, /SCM_RIGHTS > > though this is only an issue if one of the untrusted users can write > > > Chris
On 24 July 2011 12:11, Benedict Reuschling <bcr@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Chris, > > I've been discussing with gjb@ whether the PR's solution below would fit > the one you submitted in docs/156853. Do you think we can modify it so > that it fits what you are trying to address? > > Regards > > Benedict > > > - -------- Original-Nachricht -------- > Betreff: Jail Escaping (Fwd: Re: docs/142341: commit references a PR) > Datum: Sat, 23 Jul 2011 23:42:46 -0400 > Von: Glen Barber <gjb@FreeBSD.org> > An: Benedict Reuschling <bcr@FreeBSD.org> > > FYI, for the PR assigned to you (which I have no yet caught up on ): > > > - -------- Original Message -------- > From: dfilter@FreeBSD.ORG (dfilter service) > Subject: Re: docs/142341: commit references a PR > Reply-To: dfilter@FreeBSD.ORG (dfilter service) > > The following reply was made to PR docs/142341; it has been noted by GNAT= S. > > From: dfilter@FreeBSD.ORG (dfilter service) > To: bug-followup@FreeBSD.org > Cc: > Subject: Re: docs/142341: commit references a PR > Date: Sun, 24 Jul 2011 03:34:48 +0000 (UTC) > > =A0Author: gjb (doc committer) > =A0Date: Sun Jul 24 03:34:38 2011 > =A0New Revision: 224286 > =A0URL: http://svn.freebsd.org/changeset/base/224286 > > =A0Log: > =A0 Document the potential for jail escape. > > =A0 Submitted by: =A0 =A0 =A0 =A0Vedad KAJTAZ (vedad % kajtaz net) > =A0 PR: =A0 =A0 =A0 =A0 =A0142341 > =A0 Reviewed by: bz, rwatson > =A0 Rewording by: =A0 =A0 =A0 =A0rwatson > =A0 Approved by: re (kensmith) > =A0 MFC after: =A0 3 days > > =A0Modified: > =A0 head/usr.sbin/jail/jail.8 > > =A0Modified: head/usr.sbin/jail/jail.8 > =A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > =A0--- head/usr.sbin/jail/jail.8 =A0Sun Jul 24 01:36:01 2011 =A0 =A0 =A0 = =A0(r224285) > =A0+++ head/usr.sbin/jail/jail.8 =A0Sun Jul 24 03:34:38 2011 =A0 =A0 =A0 = =A0(r224286) > =A0@@ -34,7 +34,7 @@ > =A0.\" > =A0.\" $FreeBSD$ > =A0.\" > =A0-.Dd January 17, 2010 > =A0+.Dd July 23, 2011 > =A0.Dt JAIL 8 > =A0.Os > =A0.Sh NAME > =A0@@ -907,3 +907,10 @@ Currently, the simplest answer is to min > =A0offered on the host, possibly limiting it to services offered from > =A0.Xr inetd 8 > =A0which is easily configurable. > =A0+.Sh NOTES > =A0+Great care should be taken when managing directories visible within > the jail. > =A0+For example, if a jailed process has its current working directory se= t > to a > =A0+directory that is moved out of the jail's chroot, then the process ma= y > gain > =A0+access to the file space outside of the jail. > =A0+It is recommended that directories always be copied, rather than > moved, out > =A0+of a jail. Hey Benedict, I think perhaps we could just relegate this to a note at the bottom, as suggested before by Konstantin. Something like: ... of a jail. +.Pp +It is also not recommended that users allowed root in the jail be allowed access to +the host system. +For example, a root user in a jail can create a setuid root utility that could be run in the +host system to achieve elevated privileges. ... Kostik, is this more agreeable for you? I do think that it's necessary to point out that jails are not a universal UNIX concept, and therefore perhaps it's not realistic for people to notice these 'obvious' problems. Chris
On Sun, Jul 24, 2011 at 05:40:24PM +0100, Chris Rees wrote: > On 24 July 2011 12:11, Benedict Reuschling <bcr@freebsd.org> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi Chris, > > > > I've been discussing with gjb@ whether the PR's solution below would fit > > the one you submitted in docs/156853. Do you think we can modify it so > > that it fits what you are trying to address? > > > > Regards > > > > Benedict > > > > > > - -------- Original-Nachricht -------- > > Betreff: Jail Escaping (Fwd: Re: docs/142341: commit references a PR) > > Datum: Sat, 23 Jul 2011 23:42:46 -0400 > > Von: Glen Barber <gjb@FreeBSD.org> > > An: Benedict Reuschling <bcr@FreeBSD.org> > > > > FYI, for the PR assigned to you (which I have no yet caught up on ): > > > > > > - -------- Original Message -------- > > From: dfilter@FreeBSD.ORG (dfilter service) > > Subject: Re: docs/142341: commit references a PR > > Reply-To: dfilter@FreeBSD.ORG (dfilter service) > > > > The following reply was made to PR docs/142341; it has been noted by GNATS. > > > > From: dfilter@FreeBSD.ORG (dfilter service) > > To: bug-followup@FreeBSD.org > > Cc: > > Subject: Re: docs/142341: commit references a PR > > Date: Sun, 24 Jul 2011 03:34:48 +0000 (UTC) > > > > Author: gjb (doc committer) > > Date: Sun Jul 24 03:34:38 2011 > > New Revision: 224286 > > URL: http://svn.freebsd.org/changeset/base/224286 > > > > Log: > > Document the potential for jail escape. > > > > Submitted by: Vedad KAJTAZ (vedad % kajtaz net) > > PR: 142341 > > Reviewed by: bz, rwatson > > Rewording by: rwatson > > Approved by: re (kensmith) > > MFC after: 3 days > > > > Modified: > > head/usr.sbin/jail/jail.8 > > > > Modified: head/usr.sbin/jail/jail.8 > > ============================================================================== > > --- head/usr.sbin/jail/jail.8 Sun Jul 24 01:36:01 2011 (r224285) > > +++ head/usr.sbin/jail/jail.8 Sun Jul 24 03:34:38 2011 (r224286) > > @@ -34,7 +34,7 @@ > > .\" > > .\" $FreeBSD$ > > .\" > > -.Dd January 17, 2010 > > +.Dd July 23, 2011 > > .Dt JAIL 8 > > .Os > > .Sh NAME > > @@ -907,3 +907,10 @@ Currently, the simplest answer is to min > > offered on the host, possibly limiting it to services offered from > > .Xr inetd 8 > > which is easily configurable. > > +.Sh NOTES > > +Great care should be taken when managing directories visible within > > the jail. > > +For example, if a jailed process has its current working directory set > > to a > > +directory that is moved out of the jail's chroot, then the process may > > gain > > +access to the file space outside of the jail. > > +It is recommended that directories always be copied, rather than > > moved, out > > +of a jail. > > Hey Benedict, > > I think perhaps we could just relegate this to a note at the bottom, > as suggested before by Konstantin. > > Something like: > > ... > of a jail. > +.Pp > +It is also not recommended that users allowed root in the jail be > allowed access to > +the host system. > +For example, a root user in a jail can create a setuid root utility > that could be run in the > +host system to achieve elevated privileges. > ... > > Kostik, is this more agreeable for you? I do think that it's necessary > to point out that jails are not a universal UNIX concept, and > therefore perhaps it's not realistic for people to notice these > 'obvious' problems. This looks fine. Thanks.
Author: bcr (doc committer) Date: Thu Jul 28 11:41:55 2011 New Revision: 224475 URL: http://svn.freebsd.org/changeset/base/224475 Log: Add a section to the jail chapter that explains why it is not recommended to allow root users in the jail to access the host system. PR: docs/156853 Submitted by: crees Patch by: crees Approved by: re (kib) for BETA1 Modified: head/usr.sbin/jail/jail.8 Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Thu Jul 28 10:16:30 2011 (r224474) +++ head/usr.sbin/jail/jail.8 Thu Jul 28 11:41:55 2011 (r224475) @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 23, 2011 +.Dd July 28, 2011 .Dt JAIL 8 .Os .Sh NAME @@ -914,3 +914,8 @@ directory that is moved out of the jail' access to the file space outside of the jail. It is recommended that directories always be copied, rather than moved, out of a jail. +.Pp +It is also not recommended that users allowed root in the jail be allowed +access to the host system. +For example, a root user in a jail can create a setuid root utility that +could be run in the host system to achieve elevated privileges. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->patched Are we going to MFC this too?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've reverted the patch. There is still a discussion going about how we should handle this. There are different viewpoints about what the basic philosophy is behind jails. The first sentence of your latest patch does seem to be preferred by most people involved, the second is more in dispute. Benedict -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5Ba/UACgkQTSZQLkqBk0jueACfT2yDIlc0z7INWKtYWSDA3gHJ tFoAn1h2ikHMyfslULuzuoAuERgB+/jl =IW1H -----END PGP SIGNATURE-----
On 9 August 2011 18:18, Benedict Reuschling <bcr@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've reverted the patch. There is still a discussion going about how we > should handle this. There are different viewpoints about what the basic > philosophy is behind jails. The first sentence of your latest patch does > seem to be preferred by most people involved, the second is more in dispu= te. > > Benedict I'm _really_ sorry for bringing this up :P Thanks for looking after it. Chris --=20 Chris Rees =A0 =A0 =A0 =A0 =A0| FreeBSD Developer crees@FreeBSD.org =A0 | http://people.freebsd.org/~crees
State Changed From-To: patched->open Reverted....
Responsible Changed From-To: bcr->freebsd-doc Drop this back into the pool, as I could not make much progress on it. The last discussion points revolved around the question whether jails are meant to be a security feature or for virtualization purposes. Maybe someone else can find a better solution, I'm not even sure that doc is the right category for this PR at the moment.
Responsible Changed From-To: freebsd-doc->freebsd-jail What do you guys think of it?
State Changed From-To: open->closed Closed by submitters request. The change r39566 of books/handbook/jails/chapter.sgml provided sufficient warning to solve the issue.