From nobody@FreeBSD.org  Tue Jan  5 09:32:26 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 09299106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  5 Jan 2010 09:32:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id ED2398FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  5 Jan 2010 09:32:25 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o059WPUr004403
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 5 Jan 2010 09:32:25 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o059WP0F004402;
	Tue, 5 Jan 2010 09:32:25 GMT
	(envelope-from nobody)
Message-Id: <201001050932.o059WP0F004402@www.freebsd.org>
Date: Tue, 5 Jan 2010 09:32:25 GMT
From: Vedad KAJTAZ <vedad@kajtaz.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Jail escape when cwd is moved from the host system
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         142341
>Category:       docs
>Synopsis:       jail(8): Jail escape when cwd is moved from the host system
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gjb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 05 09:40:02 UTC 2010
>Closed-Date:    Wed Jul 27 02:00:02 UTC 2011
>Last-Modified:  Wed Jul 27 02:00:23 UTC 2011
>Originator:     Vedad KAJTAZ
>Release:        7.2-RELEASE-p4
>Organization:
Vedad KAJTAZ
>Environment:
FreeBSD kenny.osilex.net 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct  2 12:21:39 UTC 2009     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
Given the following setup:

- A host system
- A jail system located in /usr/local/jails/J1 on the host system 
- A shell open in the jail system, with cwd set to /some/path (therefore,
  /usr/local/jails/J1/some/path on the host system).

When the root moves the /usr/local/jails/J1/some/path folder somewhere
else (say in /usr/local/jails/J2/some/path), the jail shell (as any other
jail process) in no longer rooted and has access to the whole filesystem
on the host.

Though this is not a common situation, it may happen (and did happen to me).

Best regards,
>How-To-Repeat:
Always repeatable
>Fix:
None known

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-jail 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Jan 5 16:44:47 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=142341 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, vedad@kajtaz.net
Cc:  
Subject: Re: kern/142341: [jail] Jail escape when cwd is moved from the host
 system
Date: Tue, 5 Jan 2010 19:36:36 +0000 (UTC)

 Hi,
 
 this is the expected behaviour but is probably not explicitly
 documented.  Patches to update the man page are welcome.
 
 -- 
 Bjoern A. Zeeb         It will not break if you know what you are doing.
State-Changed-From-To: open->analyzed 
State-Changed-By: linimon 
State-Changed-When: Tue Jan 5 20:52:25 UTC 2010 
State-Changed-Why:  
Apparently this is the expected behavior and just needs to be documented. 


Responsible-Changed-From-To: freebsd-jail->freebsd-doc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Jan 5 20:52:25 UTC 2010 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=142341 
Responsible-Changed-From-To: freebsd-doc->gjb 
Responsible-Changed-By: gjb 
Responsible-Changed-When: Sun Jul 17 21:31:28 UTC 2011 
Responsible-Changed-Why:  
Over to me. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=142341 

From: Benedict Reuschling <bcr@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/142341: jail(8): Jail escape when cwd is moved from the
 host system
Date: Mon, 18 Jul 2011 21:49:07 +0200

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 This might be similar to the following PR:
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/156853
 
 Although the problems are different, they basically deal with the fact
 that it is possible to break the out of the jail into the host system.
 See the audit trail for a discussion. When a solution is found (with all
 parties involved and happy with it), both PRs should be handled the same
 way.
 
 Regards
 
 Benedict Reuschling
 FreeBSD Doc Committer
 
 The FreeBSD Documentation Project
 FreeBSD German Documentation Project - https://doc.bsdgroup.de
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.8 (Darwin)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
 iEYEARECAAYFAk4kjigACgkQTSZQLkqBk0goowCguv3imA9tYGPe75rAscdx1kYu
 dNgAoLYPiHsSn/yZRAGqQcuXwGeqd1DR
 =yZ+w
 -----END PGP SIGNATURE-----
State-Changed-From-To: analyzed->patched 
State-Changed-By: gjb 
State-Changed-When: Sun Jul 24 03:36:03 UTC 2011 
State-Changed-Why:  
Committed a fix to HEAD (r224286).  MFC in 3 days. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=142341 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/142341: commit references a PR
Date: Sun, 24 Jul 2011 03:34:48 +0000 (UTC)

 Author: gjb (doc committer)
 Date: Sun Jul 24 03:34:38 2011
 New Revision: 224286
 URL: http://svn.freebsd.org/changeset/base/224286
 
 Log:
   Document the potential for jail escape.
   
   Submitted by:	Vedad KAJTAZ (vedad % kajtaz net)
   PR:		142341
   Reviewed by:	bz, rwatson
   Rewording by:	rwatson
   Approved by:	re (kensmith)
   MFC after:	3 days
 
 Modified:
   head/usr.sbin/jail/jail.8
 
 Modified: head/usr.sbin/jail/jail.8
 ==============================================================================
 --- head/usr.sbin/jail/jail.8	Sun Jul 24 01:36:01 2011	(r224285)
 +++ head/usr.sbin/jail/jail.8	Sun Jul 24 03:34:38 2011	(r224286)
 @@ -34,7 +34,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd January 17, 2010
 +.Dd July 23, 2011
  .Dt JAIL 8
  .Os
  .Sh NAME
 @@ -907,3 +907,10 @@ Currently, the simplest answer is to min
  offered on the host, possibly limiting it to services offered from
  .Xr inetd 8
  which is easily configurable.
 +.Sh NOTES
 +Great care should be taken when managing directories visible within the jail.
 +For example, if a jailed process has its current working directory set to a
 +directory that is moved out of the jail's chroot, then the process may gain
 +access to the file space outside of the jail.
 +It is recommended that directories always be copied, rather than moved, out
 +of a jail.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: gjb 
State-Changed-When: Wed Jul 27 01:59:45 UTC 2011 
State-Changed-Why:  
Merged to 7-stable and 8-stable. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=142341 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/142341: commit references a PR
Date: Wed, 27 Jul 2011 01:57:11 +0000 (UTC)

 Author: gjb (doc committer)
 Date: Wed Jul 27 01:56:52 2011
 New Revision: 224462
 URL: http://svn.freebsd.org/changeset/base/224462
 
 Log:
   MFC 224286:
   
   Document the potential for jail escape.
   
   PR:		142341
 
 Modified:
   stable/8/usr.sbin/jail/jail.8
 Directory Properties:
   stable/8/usr.sbin/jail/   (props changed)
 
 Modified: stable/8/usr.sbin/jail/jail.8
 ==============================================================================
 --- stable/8/usr.sbin/jail/jail.8	Tue Jul 26 20:51:58 2011	(r224461)
 +++ stable/8/usr.sbin/jail/jail.8	Wed Jul 27 01:56:52 2011	(r224462)
 @@ -34,7 +34,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd January 17, 2010
 +.Dd July 23, 2011
  .Dt JAIL 8
  .Os
  .Sh NAME
 @@ -913,3 +913,10 @@ Currently, the simplest answer is to min
  offered on the host, possibly limiting it to services offered from
  .Xr inetd 8
  which is easily configurable.
 +.Sh NOTES
 +Great care should be taken when managing directories visible within the jail.
 +For example, if a jailed process has its current working directory set to a
 +directory that is moved out of the jail's chroot, then the process may gain
 +access to the file space outside of the jail.
 +It is recommended that directories always be copied, rather than moved, out
 +of a jail.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/142341: commit references a PR
Date: Wed, 27 Jul 2011 01:57:51 +0000 (UTC)

 Author: gjb (doc committer)
 Date: Wed Jul 27 01:57:24 2011
 New Revision: 224463
 URL: http://svn.freebsd.org/changeset/base/224463
 
 Log:
   MFC 224286:
   
   Document the potential for jail escape.
   
   PR:		142341
 
 Modified:
   stable/7/usr.sbin/jail/jail.8
 Directory Properties:
   stable/7/usr.sbin/jail/   (props changed)
 
 Modified: stable/7/usr.sbin/jail/jail.8
 ==============================================================================
 --- stable/7/usr.sbin/jail/jail.8	Wed Jul 27 01:56:52 2011	(r224462)
 +++ stable/7/usr.sbin/jail/jail.8	Wed Jul 27 01:57:24 2011	(r224463)
 @@ -33,7 +33,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd January 17, 2010
 +.Dd July 23, 2011
  .Dt JAIL 8
  .Os
  .Sh NAME
 @@ -708,3 +708,10 @@ Currently, the simplest answer is to min
  offered on the host, possibly limiting it to services offered from
  .Xr inetd 8
  which is easily configurable.
 +.Sh NOTES
 +Great care should be taken when managing directories visible within the jail.
 +For example, if a jailed process has its current working directory set to a
 +directory that is moved out of the jail's chroot, then the process may gain
 +access to the file space outside of the jail.
 +It is recommended that directories always be copied, rather than moved, out
 +of a jail.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
