Bug 195984 - [jail] security bug in jail utility: setgid missing/fails during creation
Summary: [jail] security bug in jail utility: setgid missing/fails during creation
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.1-RELEASE
Hardware: amd64 Any
: --- Affects Many People
Assignee: Jamie Gritton
URL:
Keywords:
: 193129 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-12-15 01:24 UTC by no@spam
Modified: 2015-03-09 03:22 UTC (History)
2 users (show)

See Also:

Attachments
jail setgid bug analysis and reproduce steps (5.96 KB, text/plain)
2014-12-15 01:24 UTC, no@spam 		no flags Details
patch to add setgid (551 bytes, patch)
2014-12-16 18:14 UTC, Jamie Gritton 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description no@spam 2014-12-15 01:24:51 UTC 
Created attachment 150594 [details]
jail setgid bug analysis and reproduce steps

initial analysis [2014-12-06]:
as the "real" application faces the same problems, i created a test
jail on a clean box just to check the behaviour using "/usr/bin/id".
problem description (hopefully i nailed it):
if a jailed process needs any .so for startup, the path to those *.so
needs to be world r-x, although the GID of the jail execute user
is allowed to r/x the dirs, where the *.so files are to be found.
there could be (ordering) errors with SET(e)GID in jail_* functions,
because it works as expected when prefixing with "chroot -g test /".
the EGID is dropped to the jail user's gid, but the GID is still 0!
we end up with a jailed proc (UID=999, GID=0), which of course is
not allowed to access the dirs for the *.so's to be loaded by exec.

update from james gritton [2014-12-13]:
There does indeed seem to be a missing setgid() in jail (compared to
jexec, which gets it right).

more details to be found in freebsd-questions list (attached, too). subject:
freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped completely
Comment 1 Jamie Gritton freebsd_committer freebsd_triage 2014-12-16 18:14:17 UTC 
Created attachment 150650 [details]
patch to add setgid
Comment 2 commit-hook freebsd_committer freebsd_triage 2014-12-18 18:10:56 UTC 
A commit references this bug:

Author: jamie
Date: Thu Dec 18 18:10:41 UTC 2014
New revision: 275906
URL: https://svnweb.freebsd.org/changeset/base/275906

Log:
  Setgid before running a command as a specified user.  Previously only
  initgroups(3) was called, what isn't quite enough.  This brings jail(8)
  in line with jexec(8), which was already doing the right thing.

  PR:		195984
  MFC after:	1 week

Changes:
  head/usr.sbin/jail/command.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2014-12-27 02:18:03 UTC 
A commit references this bug:

Author: jamie
Date: Sat Dec 27 02:17:36 UTC 2014
New revision: 276276
URL: https://svnweb.freebsd.org/changeset/base/276276

Log:
  MFC r275906:

    Setgid before running a command as a specified user.  Previously only
    initgroups(3) was called, what isn't quite enough.  This brings jail(8)
    in line with jexec(8), which was already doing the right thing.

  PR:		195984

Changes:
_U  stable/9/usr.sbin/jail/
  stable/9/usr.sbin/jail/command.c
Comment 4 commit-hook freebsd_committer freebsd_triage 2014-12-27 02:18:05 UTC 
A commit references this bug:

Author: jamie
Date: Sat Dec 27 02:17:37 UTC 2014
New revision: 276277
URL: https://svnweb.freebsd.org/changeset/base/276277

Log:
  MFC r275906:

    Setgid before running a command as a specified user.  Previously only
    initgroups(3) was called, what isn't quite enough.  This brings jail(8)
    in line with jexec(8), which was already doing the right thing.

  PR:		195984

Changes:
_U  stable/10/
  stable/10/usr.sbin/jail/command.c
Comment 5 Jamie Gritton freebsd_committer freebsd_triage 2015-03-09 03:22:04 UTC 
*** Bug 193129 has been marked as a duplicate of this bug. ***