Created attachment 150594 [details] jail setgid bug analysis and reproduce steps initial analysis [2014-12-06]: as the "real" application faces the same problems, i created a test jail on a clean box just to check the behaviour using "/usr/bin/id". problem description (hopefully i nailed it): if a jailed process needs any .so for startup, the path to those *.so needs to be world r-x, although the GID of the jail execute user is allowed to r/x the dirs, where the *.so files are to be found. there could be (ordering) errors with SET(e)GID in jail_* functions, because it works as expected when prefixing with "chroot -g test /". the EGID is dropped to the jail user's gid, but the GID is still 0! we end up with a jailed proc (UID=999, GID=0), which of course is not allowed to access the dirs for the *.so's to be loaded by exec. update from james gritton [2014-12-13]: There does indeed seem to be a missing setgid() in jail (compared to jexec, which gets it right). more details to be found in freebsd-questions list (attached, too). subject: freebsd 10.1-RELEASE: jail security errors - GID 0 not dropped completely
Created attachment 150650 [details] patch to add setgid
A commit references this bug: Author: jamie Date: Thu Dec 18 18:10:41 UTC 2014 New revision: 275906 URL: https://svnweb.freebsd.org/changeset/base/275906 Log: Setgid before running a command as a specified user. Previously only initgroups(3) was called, what isn't quite enough. This brings jail(8) in line with jexec(8), which was already doing the right thing. PR: 195984 MFC after: 1 week Changes: head/usr.sbin/jail/command.c
A commit references this bug: Author: jamie Date: Sat Dec 27 02:17:36 UTC 2014 New revision: 276276 URL: https://svnweb.freebsd.org/changeset/base/276276 Log: MFC r275906: Setgid before running a command as a specified user. Previously only initgroups(3) was called, what isn't quite enough. This brings jail(8) in line with jexec(8), which was already doing the right thing. PR: 195984 Changes: _U stable/9/usr.sbin/jail/ stable/9/usr.sbin/jail/command.c
A commit references this bug: Author: jamie Date: Sat Dec 27 02:17:37 UTC 2014 New revision: 276277 URL: https://svnweb.freebsd.org/changeset/base/276277 Log: MFC r275906: Setgid before running a command as a specified user. Previously only initgroups(3) was called, what isn't quite enough. This brings jail(8) in line with jexec(8), which was already doing the right thing. PR: 195984 Changes: _U stable/10/ stable/10/usr.sbin/jail/command.c
*** Bug 193129 has been marked as a duplicate of this bug. ***