From nobody@FreeBSD.org  Fri May  6 20:44:37 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CF3F2106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 May 2011 20:44:37 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id BDDE78FC15
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 May 2011 20:44:37 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p46KibIY031659
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 6 May 2011 20:44:37 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p46KibYL031658;
	Fri, 6 May 2011 20:44:37 GMT
	(envelope-from nobody)
Message-Id: <201105062044.p46KibYL031658@red.freebsd.org>
Date: Fri, 6 May 2011 20:44:37 GMT
From: Chris Rees <utisoft@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Update docs: jail(8) security issues with world-readable jail root
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         156853
>Category:       docs
>Synopsis:       [patch] Update docs: jail(8) security issues with world-readable jail root
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-jail
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 06 20:50:13 UTC 2011
>Closed-Date:    Sat Sep 22 11:14:45 UTC 2012
>Last-Modified:  Sat Sep 22 11:14:45 UTC 2012
>Originator:     Chris Rees
>Release:        
>Organization:
>Environment:
>Description:
I brought this problem up on freebsd-security two years ago [1], and promptly forgot about it, but then another person [2] has brought it up again...

Jails have a problem in that if the jail directory is world-readable, an attacker with root access to the jail can create a setuid binary for their own use in the host environment (if they also have this access), thus breaking root in the host.


[1] http://freebsd.1045724.n5.nabble.com/Thoughts-on-jail-privilege-FAQ-submission-td4219099.html

[2] http://lists.freebsd.org/pipermail/freebsd-security/2011-May/005886.html
>How-To-Repeat:
Follow instructions in the Handbook or jail(8) manpage, create a setuid binary inside the jail as root, and run it as unprivileged user in the host.
>Fix:
No fix, but precautions can be taken; this exploit is impossible if the jail's files are not world-readable.

Docs patches for the Handbook [3] and for the jail(8) manpage [4] are provided.

- Advise 0700 permissions for jail root directory to stop various exploits

Patch submitted by: Chris Rees (utisoft@gmail.com)

Discovered by: Chris Rees (utisoft@gmail.com) and Ptur Ingi Egilsson (petur@petur.eu)

[3] http://www.bayofrum.net/~crees/patches/jail-secure-handbook.diff

[4] http://www.bayofrum.net/~crees/patches/jail-secure-manpage.diff

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->freebsd-doc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri May 6 21:45:29 UTC 2011 
Responsible-Changed-Why:  
reclassify 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 
Responsible-Changed-From-To: freebsd-doc->bcr 
Responsible-Changed-By: bcr 
Responsible-Changed-When: Sun May 8 10:54:32 UTC 2011 
Responsible-Changed-Why:  
Take this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/156853: commit references a PR
Date: Sun,  8 May 2011 12:11:46 +0000 (UTC)

 bcr         2011-05-08 12:11:22 UTC
 
   FreeBSD doc repository
 
   Modified files:
     en_US.ISO8859-1/books/handbook/jails chapter.sgml 
   Log:
   Jails have a problem in that if the jail directory is world-readable, an
   attacker with root access to the jail can create a setuid binary for their
   own use in the host environment (if they also have this access), thus
   breaking root in the host.
   
   This exploit is impossible if the jail's files are not world-readable.
   Add instructions to the handbook on how to create a jail with the
   correct permissions set.
   
   PR:                     docs/156853
   Submitted by:   Chris Rees (utisoft at gmail dot com)
   Reviewed by:    cperciva (security parts)
   
   Revision  Changes    Path
   1.23      +13 -3     doc/en_US.ISO8859-1/books/handbook/jails/chapter.sgml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/156853: commit references a PR
Date: Sun,  8 May 2011 12:17:02 +0000 (UTC)

 Author: bcr (doc committer)
 Date: Sun May  8 12:16:39 2011
 New Revision: 221655
 URL: http://svn.freebsd.org/changeset/base/221655
 
 Log:
   Jails have a problem in that if the jail directory is world-readable,
   an attacker with root access to the jail can create a setuid binary for
   their own use in the host environment (if they also have this access),
   thus breaking root in the host.
   
   This exploit is impossible if the jail's files are not world-readable.
   Add instructions to the man page on how to create a jail with the
   correct permissions set.
   
   PR:		docs/156853
   Submitted by:	Chris Rees (utisoft at gmail dot com)
   Reviewed by:	cperciva (security parts)
   MFC after:	9 days
 
 Modified:
   head/usr.sbin/jail/jail.8
 
 Modified: head/usr.sbin/jail/jail.8
 ==============================================================================
 --- head/usr.sbin/jail/jail.8	Sun May  8 12:16:39 2011	(r221654)
 +++ head/usr.sbin/jail/jail.8	Sun May  8 12:16:39 2011	(r221655)
 @@ -34,7 +34,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd January 17, 2010
 +.Dd May 8, 2011
  .Dt JAIL 8
  .Os
  .Sh NAME
 @@ -431,7 +431,7 @@ command script can be used:
  .Bd -literal
  D=/here/is/the/jail
  cd /usr/src
 -mkdir -p $D
 +mkdir -p -m 0700 $D
  make world DESTDIR=$D
  make distribution DESTDIR=$D
  mount -t devfs devfs $D/dev
 @@ -448,6 +448,10 @@ in the per-jail devfs.
  A simple devfs ruleset for jails is available as ruleset #4 in
  .Pa /etc/defaults/devfs.rules .
  .Pp
 +Non-superusers in the host system should not be able to access the 
 +jail's files; otherwise an attacker with root access to the jail
 +could obtain elevated privileges on the host.
 +.Pp
  In many cases this example would put far more in the jail than needed.
  In the other extreme case a jail might contain only one file:
  the executable to be run in the jail.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: bcr 
State-Changed-When: Sun May 8 12:22:25 UTC 2011 
State-Changed-Why:  
Slightly modified versions of the patches were committed to their 
respective repositories. Set to 'patched' state until the MFC is 
done. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 
State-Changed-From-To: patched->feedback 
State-Changed-By: bcr 
State-Changed-When: Sun May 8 14:58:23 UTC 2011 
State-Changed-Why:  
We need to come up with a better solution for this and require 
input from various folks, so better set this to 'feedback'.  

http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 

From: Chris Rees <utisoft@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: docs/156853: [patch] Update docs: jail(8) security issues with
 world-readable jail root
Date: Sun, 22 May 2011 11:28:15 +0100

 OK, I've changed the instructions along the lines of what des@
 suggested and added a warning about allowing root in the jail access
 to the host as well.
 
 New patches for the manpage [1] and Handbook [2].
 
 Thanks!
 
 Chris
 
 [1] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_1.diff
 [2] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_1.diff

Date: Wed, 25 May 2011 18:52:03 +0100
From: Chris Rees <utisoft@gmail.com>
Reply-To: utisoft@gmail.com
To: Colin Percival <cperciva@freebsd.org>, bug-followup@freebsd.org
Subject: Re: Fwd: docs/156853: [patch] Update docs: jail(8) security issues
 with world-readable jail root

 Thanks for the input from kib@, bcr@, jilles@ and cperciva@ there's a
 new patch for each [1,2].
 
 Chris
 
 [1] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_2.diff
 [2] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_2.diff

Date: Wed, 25 May 2011 17:43:35 -0700
From: Colin Percival <cperciva@freebsd.org>
To: Kostik Belousov <kostikbel@gmail.com>
Subject: Re: Fwd: docs/156853: [patch] Update docs: jail(8) security issues
 with world-readable jail root

 On 05/25/11 17:18, Kostik Belousov wrote:
 > BTW, do we also put such verbose wording somewhere for the "security"
 > issue of removing not writable / not owned files in the directory
 > writable by some user ?
 
 Because this doesn't seem to be something people get confused by, at least
 judging by the fact that secteam doesn't get any email about it.  I assume
 the bar for deciding when documentation ought to be expanded is something
 along the line of "do people reading the existing documentation commonly
 make mistakes".
 
 -- 
 Colin Percival
 Security Officer, FreeBSD | freebsd.org | The power to serve
 Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid

Date: Thu, 26 May 2011 03:18:17 +0300
From: Kostik Belousov <kostikbel@gmail.com>
To: Chris Rees <utisoft@gmail.com>
Subject: Re: Fwd: docs/156853: [patch] Update docs: jail(8) security issues with world-readable jail root

 --E+86ihFF7hRL3Z+M
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Wed, May 25, 2011 at 06:52:03PM +0100, Chris Rees wrote:
 > Thanks for the input from kib@, bcr@, jilles@ and cperciva@ there's a
 > new patch for each [1,2].
 >=20
 > Chris
 >=20
 > [1] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_2.diff
 > [2] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_2.diff
 
 Now you are referencing some unspecified "file descriptors" handling
 issues that are present for nullfs but not for NFS. What are they ?
 
 Please do not mention me in any way if the patches happen to land
 in our repository.
 
 BTW, do we also put such verbose wording somewhere for the "security"
 issue of removing not writable / not owned files in the directory
 writable by some user ?
 
 --E+86ihFF7hRL3Z+M
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (FreeBSD)
 
 iEYEARECAAYFAk3dnEcACgkQC3+MBN1Mb4jOiwCg5WAXAI6e/ujA88Ems89Ihwe0
 neAAn0ISQsydOHb1JZcLHsCwgFsWc6mW
 =riqH
 -----END PGP SIGNATURE-----
 
 --E+86ihFF7hRL3Z+M--

Date: Thu, 26 May 2011 08:32:08 +0100
From: Chris Rees <utisoft@gmail.com>
Reply-To: utisoft@gmail.com
To: Kostik Belousov <kostikbel@gmail.com>
Subject: Re: Fwd: docs/156853: [patch] Update docs: jail(8) security issues
 with world-readable jail root

 On 26 May 2011 01:18, Kostik Belousov <kostikbel@gmail.com> wrote:
 
 > Now you are referencing some unspecified "file descriptors" handling
 > issues that are present for nullfs but not for NFS. What are they ?
 
 I referenced a conversation earlier:
 
 On 22 May 2011 20:32, Chris Rees <utisoft@gmail.com> wrote:
 
 > From IRC (I don't want to attribute without permission):
 >
 > user in jail1 passes fd to directory to user in jail2
 > if these are disjoint jails, the kernel will not know to restrict the
 > process in jail2 to any jail base directory
 > (the process in jail2 will fchdir(fd), chdir("../../../../.."))
 > man 4 unix, /SCM_RIGHTS
 > though this is only an issue if one of the untrusted users can write
 
 
 Chris

Date: Thu, 26 May 2011 15:00:35 +0300
From: Kostik Belousov <kostikbel@gmail.com>
To: Chris Rees <utisoft@gmail.com>
Subject: Re: Fwd: docs/156853: [patch] Update docs: jail(8) security issues with world-readable jail root

 --B/AgRt1PX8m/BMcI
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Thu, May 26, 2011 at 08:32:08AM +0100, Chris Rees wrote:
 > I referenced a conversation earlier:
 How can you reference a private conversation in the public documentation ?
 
 Anyway, I was unable to make any sense of the referenced sentence,
 and I still cannot understand what the talk below is about.

 > On 22 May 2011 20:32, Chris Rees <utisoft@gmail.com> wrote:
 >=20
 > > From IRC (I don't want to attribute without permission):
 > >
 > > user in jail1 passes fd to directory to user in jail2
 > > if these are disjoint jails, the kernel will not know to restrict the
 > > process in jail2 to any jail base directory
 > > (the process in jail2 will fchdir(fd), chdir("../../../../.."))
 > > man 4 unix, /SCM_RIGHTS
 > > though this is only an issue if one of the untrusted users can write
 >=20
 >=20
 > Chris
 
 --B/AgRt1PX8m/BMcI
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (FreeBSD)
 
 iEYEARECAAYFAk3eQOMACgkQC3+MBN1Mb4hxUwCfUldycc/jQVY8A0DfAM3DhZY6
 T4EAn0KEqMFIqyzt3k1LF7cA/4A/D7k0
 =xiK9
 -----END PGP SIGNATURE-----
 
 --B/AgRt1PX8m/BMcI--

From: Chris Rees <crees@freebsd.org>
To: bcr@freebsd.org, Colin Percival <cperciva@freebsd.org>, 
	Kostik Belousov <kostikbel@gmail.com>, Jilles Tjoelker <jilles@stack.nl>, bug-followup@freebsd.org
Cc:  
Subject: Re: docs/156853: [patch] Update docs: jail(8) security issues with
 world-readable jail root
Date: Sun, 24 Jul 2011 17:40:24 +0100

 On 24 July 2011 12:11, Benedict Reuschling <bcr@freebsd.org> wrote:
 > -----BEGIN PGP SIGNED MESSAGE-----
 > Hash: SHA1
 >
 > Hi Chris,
 >
 > I've been discussing with gjb@ whether the PR's solution below would fit
 > the one you submitted in docs/156853. Do you think we can modify it so
 > that it fits what you are trying to address?
 >
 > Regards
 >
 > Benedict
 >
 >
 > - -------- Original-Nachricht --------
 > Betreff: Jail Escaping (Fwd: Re: docs/142341: commit references a PR)
 > Datum: Sat, 23 Jul 2011 23:42:46 -0400
 > Von: Glen Barber <gjb@FreeBSD.org>
 > An: Benedict Reuschling <bcr@FreeBSD.org>
 >
 > FYI, for the PR assigned to you (which I have no yet caught up on ):
 >
 >
 > - -------- Original Message --------
 > From: dfilter@FreeBSD.ORG (dfilter service)
 > Subject: Re: docs/142341: commit references a PR
 > Reply-To: dfilter@FreeBSD.ORG (dfilter service)
 >
 > The following reply was made to PR docs/142341; it has been noted by GNAT=
 S.
 >
 > From: dfilter@FreeBSD.ORG (dfilter service)
 > To: bug-followup@FreeBSD.org
 > Cc:
 > Subject: Re: docs/142341: commit references a PR
 > Date: Sun, 24 Jul 2011 03:34:48 +0000 (UTC)
 >
 > =A0Author: gjb (doc committer)
 > =A0Date: Sun Jul 24 03:34:38 2011
 > =A0New Revision: 224286
 > =A0URL: http://svn.freebsd.org/changeset/base/224286
 >
 > =A0Log:
 > =A0 Document the potential for jail escape.
 >
 > =A0 Submitted by: =A0 =A0 =A0 =A0Vedad KAJTAZ (vedad % kajtaz net)
 > =A0 PR: =A0 =A0 =A0 =A0 =A0142341
 > =A0 Reviewed by: bz, rwatson
 > =A0 Rewording by: =A0 =A0 =A0 =A0rwatson
 > =A0 Approved by: re (kensmith)
 > =A0 MFC after: =A0 3 days
 >
 > =A0Modified:
 > =A0 head/usr.sbin/jail/jail.8
 >
 > =A0Modified: head/usr.sbin/jail/jail.8
 > =A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D
 > =A0--- head/usr.sbin/jail/jail.8 =A0Sun Jul 24 01:36:01 2011 =A0 =A0 =A0 =
 =A0(r224285)
 > =A0+++ head/usr.sbin/jail/jail.8 =A0Sun Jul 24 03:34:38 2011 =A0 =A0 =A0 =
 =A0(r224286)
 > =A0@@ -34,7 +34,7 @@
 > =A0.\"
 > =A0.\" $FreeBSD$
 > =A0.\"
 > =A0-.Dd January 17, 2010
 > =A0+.Dd July 23, 2011
 > =A0.Dt JAIL 8
 > =A0.Os
 > =A0.Sh NAME
 > =A0@@ -907,3 +907,10 @@ Currently, the simplest answer is to min
 > =A0offered on the host, possibly limiting it to services offered from
 > =A0.Xr inetd 8
 > =A0which is easily configurable.
 > =A0+.Sh NOTES
 > =A0+Great care should be taken when managing directories visible within
 > the jail.
 > =A0+For example, if a jailed process has its current working directory se=
 t
 > to a
 > =A0+directory that is moved out of the jail's chroot, then the process ma=
 y
 > gain
 > =A0+access to the file space outside of the jail.
 > =A0+It is recommended that directories always be copied, rather than
 > moved, out
 > =A0+of a jail.
 
 Hey Benedict,
 
 I think perhaps we could just relegate this to a note at the bottom,
 as suggested before by Konstantin.
 
 Something like:
 
 ...
 of a jail.
 +.Pp
 +It is also not recommended that users allowed root in the jail be
 allowed access to
 +the host system.
 +For example, a root user in a jail can create a setuid root utility
 that could be run in the
 +host system to achieve elevated privileges.
 ...
 
 Kostik, is this more agreeable for you? I do think that it's necessary
 to point out that jails are not a universal UNIX concept, and
 therefore perhaps it's not realistic for people to notice these
 'obvious' problems.
 
 Chris

From: Kostik Belousov <kostikbel@gmail.com>
To: Chris Rees <crees@freebsd.org>
Cc: bcr@freebsd.org, Colin Percival <cperciva@freebsd.org>,
        Jilles Tjoelker <jilles@stack.nl>, bug-followup@freebsd.org
Subject: Re: docs/156853: [patch] Update docs: jail(8) security issues with world-readable jail root
Date: Sun, 24 Jul 2011 19:50:56 +0300

 --CXCr97uxOWo63dHN
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Sun, Jul 24, 2011 at 05:40:24PM +0100, Chris Rees wrote:
 > On 24 July 2011 12:11, Benedict Reuschling <bcr@freebsd.org> wrote:
 > > -----BEGIN PGP SIGNED MESSAGE-----
 > > Hash: SHA1
 > >
 > > Hi Chris,
 > >
 > > I've been discussing with gjb@ whether the PR's solution below would fit
 > > the one you submitted in docs/156853. Do you think we can modify it so
 > > that it fits what you are trying to address?
 > >
 > > Regards
 > >
 > > Benedict
 > >
 > >
 > > - -------- Original-Nachricht --------
 > > Betreff: Jail Escaping (Fwd: Re: docs/142341: commit references a PR)
 > > Datum: Sat, 23 Jul 2011 23:42:46 -0400
 > > Von: Glen Barber <gjb@FreeBSD.org>
 > > An: Benedict Reuschling <bcr@FreeBSD.org>
 > >
 > > FYI, for the PR assigned to you (which I have no yet caught up on ):
 > >
 > >
 > > - -------- Original Message --------
 > > From: dfilter@FreeBSD.ORG (dfilter service)
 > > Subject: Re: docs/142341: commit references a PR
 > > Reply-To: dfilter@FreeBSD.ORG (dfilter service)
 > >
 > > The following reply was made to PR docs/142341; it has been noted by GN=
 ATS.
 > >
 > > From: dfilter@FreeBSD.ORG (dfilter service)
 > > To: bug-followup@FreeBSD.org
 > > Cc:
 > > Subject: Re: docs/142341: commit references a PR
 > > Date: Sun, 24 Jul 2011 03:34:48 +0000 (UTC)
 > >
 > > =9AAuthor: gjb (doc committer)
 > > =9ADate: Sun Jul 24 03:34:38 2011
 > > =9ANew Revision: 224286
 > > =9AURL: http://svn.freebsd.org/changeset/base/224286
 > >
 > > =9ALog:
 > > =9A Document the potential for jail escape.
 > >
 > > =9A Submitted by: =9A =9A =9A =9AVedad KAJTAZ (vedad % kajtaz net)
 > > =9A PR: =9A =9A =9A =9A =9A142341
 > > =9A Reviewed by: bz, rwatson
 > > =9A Rewording by: =9A =9A =9A =9Arwatson
 > > =9A Approved by: re (kensmith)
 > > =9A MFC after: =9A 3 days
 > >
 > > =9AModified:
 > > =9A head/usr.sbin/jail/jail.8
 > >
 > > =9AModified: head/usr.sbin/jail/jail.8
 > > =9A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D
 > > =9A--- head/usr.sbin/jail/jail.8 =9ASun Jul 24 01:36:01 2011 =9A =9A =
 =9A =9A(r224285)
 > > =9A+++ head/usr.sbin/jail/jail.8 =9ASun Jul 24 03:34:38 2011 =9A =9A =
 =9A =9A(r224286)
 > > =9A@@ -34,7 +34,7 @@
 > > =9A.\"
 > > =9A.\" $FreeBSD$
 > > =9A.\"
 > > =9A-.Dd January 17, 2010
 > > =9A+.Dd July 23, 2011
 > > =9A.Dt JAIL 8
 > > =9A.Os
 > > =9A.Sh NAME
 > > =9A@@ -907,3 +907,10 @@ Currently, the simplest answer is to min
 > > =9Aoffered on the host, possibly limiting it to services offered from
 > > =9A.Xr inetd 8
 > > =9Awhich is easily configurable.
 > > =9A+.Sh NOTES
 > > =9A+Great care should be taken when managing directories visible within
 > > the jail.
 > > =9A+For example, if a jailed process has its current working directory =
 set
 > > to a
 > > =9A+directory that is moved out of the jail's chroot, then the process =
 may
 > > gain
 > > =9A+access to the file space outside of the jail.
 > > =9A+It is recommended that directories always be copied, rather than
 > > moved, out
 > > =9A+of a jail.
 >=20
 > Hey Benedict,
 >=20
 > I think perhaps we could just relegate this to a note at the bottom,
 > as suggested before by Konstantin.
 >=20
 > Something like:
 >=20
 > ...
 > of a jail.
 > +.Pp
 > +It is also not recommended that users allowed root in the jail be
 > allowed access to
 > +the host system.
 > +For example, a root user in a jail can create a setuid root utility
 > that could be run in the
 > +host system to achieve elevated privileges.
 > ...
 >=20
 > Kostik, is this more agreeable for you? I do think that it's necessary
 > to point out that jails are not a universal UNIX concept, and
 > therefore perhaps it's not realistic for people to notice these
 > 'obvious' problems.
 
 This looks fine.
 
 Thanks.
 
 --CXCr97uxOWo63dHN
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (FreeBSD)
 
 iEYEARECAAYFAk4sTW8ACgkQC3+MBN1Mb4glxQCg1YS/MAQyYFvSI3KrZ89myDGF
 QkgAoMFh7qMQB73YgZ7gp3F+t84qxgsI
 =+Zxo
 -----END PGP SIGNATURE-----
 
 --CXCr97uxOWo63dHN--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/156853: commit references a PR
Date: Thu, 28 Jul 2011 11:42:10 +0000 (UTC)

 Author: bcr (doc committer)
 Date: Thu Jul 28 11:41:55 2011
 New Revision: 224475
 URL: http://svn.freebsd.org/changeset/base/224475
 
 Log:
   Add a section to the jail chapter that explains why it is not
   recommended to allow root users in the jail to access the host system.
   
   PR:		docs/156853
   Submitted by:	crees
   Patch by:	crees
   Approved by:	re (kib) for BETA1
 
 Modified:
   head/usr.sbin/jail/jail.8
 
 Modified: head/usr.sbin/jail/jail.8
 ==============================================================================
 --- head/usr.sbin/jail/jail.8	Thu Jul 28 10:16:30 2011	(r224474)
 +++ head/usr.sbin/jail/jail.8	Thu Jul 28 11:41:55 2011	(r224475)
 @@ -34,7 +34,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd July 23, 2011
 +.Dd July 28, 2011
  .Dt JAIL 8
  .Os
  .Sh NAME
 @@ -914,3 +914,8 @@ directory that is moved out of the jail'
  access to the file space outside of the jail.
  It is recommended that directories always be copied, rather than moved, out
  of a jail.
 +.Pp
 +It is also not recommended that users allowed root in the jail be allowed
 +access to the host system.
 +For example, a root user in a jail can create a setuid root utility that
 +could be run in the host system to achieve elevated privileges.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->patched 
State-Changed-By: crees 
State-Changed-When: Tue Aug 9 12:56:12 UTC 2011 
State-Changed-Why:  
Are we going to MFC this too? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 

From: Benedict Reuschling <bcr@FreeBSD.org>
To: bug-followup@FreeBSD.org, utisoft@gmail.com
Cc:  
Subject: Re: docs/156853: [patch] Update docs: jail(8) security issues with
 world-readable jail root
Date: Tue, 09 Aug 2011 19:18:55 +0200

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 I've reverted the patch. There is still a discussion going about how we
 should handle this. There are different viewpoints about what the basic
 philosophy is behind jails. The first sentence of your latest patch does
 seem to be preferred by most people involved, the second is more in dispute.
 
 Benedict
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.8 (Darwin)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
 iEYEARECAAYFAk5Ba/UACgkQTSZQLkqBk0jueACfT2yDIlc0z7INWKtYWSDA3gHJ
 tFoAn1h2ikHMyfslULuzuoAuERgB+/jl
 =IW1H
 -----END PGP SIGNATURE-----

From: Chris Rees <utisoft@gmail.com>
To: bcr@freebsd.org
Cc: bug-followup@freebsd.org
Subject: Re: docs/156853: [patch] Update docs: jail(8) security issues with
 world-readable jail root
Date: Tue, 9 Aug 2011 18:47:36 +0100

 On 9 August 2011 18:18, Benedict Reuschling <bcr@freebsd.org> wrote:
 > -----BEGIN PGP SIGNED MESSAGE-----
 > Hash: SHA1
 >
 > I've reverted the patch. There is still a discussion going about how we
 > should handle this. There are different viewpoints about what the basic
 > philosophy is behind jails. The first sentence of your latest patch does
 > seem to be preferred by most people involved, the second is more in dispu=
 te.
 >
 > Benedict
 
 I'm _really_ sorry for bringing this up :P
 
 Thanks for looking after it.
 
 Chris
 
 --=20
 Chris Rees =A0 =A0 =A0 =A0 =A0| FreeBSD Developer
 crees@FreeBSD.org =A0 | http://people.freebsd.org/~crees
State-Changed-From-To: patched->open 
State-Changed-By: crees 
State-Changed-When: Tue Aug 9 17:56:04 UTC 2011 
State-Changed-Why:  
Reverted.... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 
Responsible-Changed-From-To: bcr->freebsd-doc 
Responsible-Changed-By: bcr 
Responsible-Changed-When: Mon May 7 11:50:43 UTC 2012 
Responsible-Changed-Why:  
Drop this back into the pool, as I could not make much progress on it. 
The last discussion points revolved around the question whether jails are 
meant to be a security feature or for virtualization purposes. Maybe someone 
else can find a better solution, I'm not even sure that doc is the right 
category for this PR at the moment. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 
Responsible-Changed-From-To: freebsd-doc->freebsd-jail 
Responsible-Changed-By: crees 
Responsible-Changed-When: Fri Jul 20 09:18:56 UTC 2012 
Responsible-Changed-Why:  
What do you guys think of it? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 
State-Changed-From-To: open->closed 
State-Changed-By: bcr 
State-Changed-When: Sat Sep 22 11:11:12 UTC 2012 
State-Changed-Why:  
Closed by submitters request. The change r39566 of  
books/handbook/jails/chapter.sgml provided sufficient  
warning to solve the issue. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 
>Unformatted:
