From nobody@FreeBSD.org  Wed Feb 25 09:05:28 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6C1D1106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 25 Feb 2009 09:05:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 58FFE8FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 25 Feb 2009 09:05:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n1P95RDJ043611
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 25 Feb 2009 09:05:27 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n1P95RHt043610;
	Wed, 25 Feb 2009 09:05:27 GMT
	(envelope-from nobody)
Message-Id: <200902250905.n1P95RHt043610@www.freebsd.org>
Date: Wed, 25 Feb 2009 09:05:27 GMT
From: Aleksandr Stankevic <alex@braske.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: jail can listen on *:port when jail_socket_unixiproute_only set to NO
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         132092
>Category:       kern
>Synopsis:       [jail] jail can listen on *:port when jail_socket_unixiproute_only set to NO
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 25 09:10:04 UTC 2009
>Closed-Date:    Tue Nov 17 21:16:13 UTC 2009
>Last-Modified:  Tue Nov 17 21:16:13 UTC 2009
>Originator:     Aleksandr Stankevic
>Release:        
>Organization:
>Environment:
FreeBSD alex.viko.lt 7.1-RELEASE-p3 FreeBSD 7.1-RELEASE-p3 #0: Tue Feb 24 22:53:54 EET 2009     alex@alex.viko.lt:/usr/src/sys/i386/compile/GENERIC  i386

>Description:
I've noticed that apache in jail is listening on *:80.
After debugging for some time, i found out it's because of jail_socket_unixiproute_only set to NO.

The problem is, that it is really listening on *:80, and not on the ip the jail was given.
I.e. 

Host system ip: 111.111.128.50
Jail system ip: 111.111.128.51

Host system only has sshd runing, no other network services.
Jail system has apache installed. Apache is listening on *:80
By telneting to 111.111.128.50:80 (the host ip) i will connect to the jail system.
It's kind of jail escape IMHO.

Other jails, which don't have anything listening on port 80, can be connected to via port 80. But the destination server will be the jail which listens on *:80.

>How-To-Repeat:
Set jail_socket_unixiproute_only=NO in rc.conf, start a jail, and create a socket listening on *:port
Can't reproduce with software like netcat, but software like apache/jabberd can listen on *:port.

>Fix:
I don't know if that's a wanted behavior.
I can see two solutions:
1. if it should work that way, then add a note/warning to the docs so users know that by setting jail_socket_unixiproute_only to NO will lower the security of the jail by letting it bind to wildcard IP.
2. if it shouldn't work that way - then fix it so it can't listen on wildcard ip, and that way fix the jail/privilege escape

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-jail 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Feb 26 01:38:20 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=132092 
Responsible-Changed-From-To: freebsd-jail->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Mon Jun 8 17:25:24 UTC 2009 
Responsible-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=132092 
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Mon Jun 8 17:25:45 UTC 2009 
State-Changed-Why:  
Taken andset to feedback while we try to get more information. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=132092 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, alex@braske.net
Cc:  
Subject: Re: kern/132092: [jail] jail can listen on *:port when
 jail_socket_unixiproute_only set to NO
Date: Mon, 8 Jun 2009 17:24:39 +0000 (UTC)

 Hi,
 
 disabling jail_socket_unixiproute_only widens the protocols jails can
 access.  Can you show netstat -an from within the jail and from the
 base system at the same time?  I am not sure what's going on but I'd
 like to confirm that it is actually an IPv4 tcp socket and not tcp6
 ones that have the *:80 binding.
 
 Have you tried freebsd 7.2? Does it still happen there?
 
 /bz
 
 -- 
 Bjoern A. Zeeb                      The greatest risk is not taking one.

From: Aleksandr Stankevic <alex@braske.net>
To: bug-followup@FreeBSD.org, alex@braske.net
Cc:  
Subject: Re: kern/132092: [jail] jail can listen on *:port when jail_socket_unixiproute_only
 set to NO
Date: Sun, 12 Jul 2009 21:15:10 +0300

 Hi,
 
 I can't seem to reproduce it on 7.2, so it must have been fixed by now.
State-Changed-From-To: feedback->closed 
State-Changed-By: bz 
State-Changed-When: Tue Nov 17 21:15:46 UTC 2009 
State-Changed-Why:  
Thanks a lot for reporting and testing on an updated machine. 
Happy the problem is gone:) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=132092 
>Unformatted:
