215250 – jail break under particular circumstance

Bug 215250 - jail break under particular circumstance

Summary: jail break under particular circumstance

Status:	Closed Works As Intended

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	11.0-STABLE
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-jail (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-12-12 12:01 UTC by simonp
Modified:	2016-12-12 23:04 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description simonp 2016-12-12 12:01:24 UTC

I do not understand if this is really a bug, anyway i am submitting this because i think it could be the top of a more complex "iceberg".

How to reproduce:
--------------------------------------------------------

jailhost is the host machine
thejail is the jailed machine


remote#ssh user@thejail  // log into the jail from a remote system

thejail$su               // became superuser into the jail
thejail#cd /usr/ports    // log into any folder of the jail

Now from jailhost move the jail folder
into the jailhost hierarchy

jailhost#mv /jailz/<thejail>/usr/ports /jailz/ports // !!!

Now, from inside thejail

thejail#pwd
/jailz/ports             // !!! logged into the host   
thejail#cd ..            // you can navigate the host filesystem
thejail#pwd
/
thejail#cd etc
thejail#pwd
/etc
thejail#cat rc.conf      // see host file contents  
hostname="jailhost.mydomain"
...

thejail#uname -a         // while you are inside the jail ...
FreeBSD jailhost.mydomain 11.0-RELEASE-p1 ...

--------------------------------------------------------


I understand that this is a very particular situation
and i don't know if it is an expected behaviour
just submitting because it sounds quite unexpected ...

Cheers
Paolo

Comment 1 Andrey V. Elsukov freebsd_committer

2016-12-12 13:38:56 UTC

(In reply to simonp from comment #0)
> I do not understand if this is really a bug, anyway i am submitting this
> because i think it could be the top of a more complex "iceberg".

If you can do the same without the following step, then it is a jail break. Otherwise is it expected behavior. IMHO.

> Now from jailhost move the jail folder
> into the jailhost hierarchy
> 
> jailhost#mv /jailz/<thejail>/usr/ports /jailz/ports // !!!

Comment 2 Jamie Gritton freebsd_committer

2016-12-12 14:40:52 UTC

Yes, it's expected behavior.  It's not so much a "break" as being pulled out of the jail by an administrator with proper permission who presumably knows what he's doing.

Preventing an assisted break like this would be doable, but would involve either tracing all .. traversals back to at least a prison root, or attaching a prison reference to every directory in the vnode cache.  Both of those seem to be a bit of overkill.

I have to admin I've done the very thing in the example: temporarily moving /usr/ports to a jail.  Lately I've gone with nullfs instead, which doesn't open this hole.

Comment 3 simonp 2016-12-12 23:04:01 UTC

(In reply to Jamie Gritton from comment #2)

Thank you very much you guys,

As pointed by myself the case is absolutely particular,
and indeed you have no need to "break" a jail 
if you have admin permission for the host system ;-) ...

However some unaware sysadm, or a buggy script may lead
to the situation described, so, better to have had look ... 
thank you again