From nobody@FreeBSD.org  Tue Apr  6 22:33:30 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BD2381065670
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  6 Apr 2010 22:33:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id AB25F8FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  6 Apr 2010 22:33:30 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o36MXUct031169
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 6 Apr 2010 22:33:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o36MXURi031168;
	Tue, 6 Apr 2010 22:33:30 GMT
	(envelope-from nobody)
Message-Id: <201004062233.o36MXURi031168@www.freebsd.org>
Date: Tue, 6 Apr 2010 22:33:30 GMT
From: Dan Naumov <dan.naumov@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: sysinstall and sade can access host's disks from within a jail
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         145444
>Category:       kern
>Synopsis:       [jail] sysinstall and sade can access host's disks from within a jail
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 06 22:40:01 UTC 2010
>Closed-Date:    Thu Aug 01 20:28:03 UTC 2013
>Last-Modified:  Thu Aug 01 20:28:03 UTC 2013
>Originator:     Dan Naumov
>Release:        8.0
>Organization:
>Environment:
FreeBSD atombsd.localdomain 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Tue Jan  5 21:11:58 UTC 2010     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
If you run "sade" or "sysinstall" within a jail, you can see the host system's disks from within the jail, giving a malicious superuser within the jail the capability to inspect the disk and partition layout of the host.

Actual destructive actions to the hosts disk from within such an instance of "sade" / "sysinstall" do not seem possible (attempting to write out changes returns an error), but nevertheless such peeking capability is still troubling.

It is my understanding that this is not intended behaviour.
>How-To-Repeat:
1) Install FreeBSD 8.0
2) Create and install a jail
3) Start the jail
4) Log into the jail as a user with root priviledges (locally via host's console or remotely, connecting to an sshd running within the jail)
5) Run "sade" or "sysinstall)
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-jail 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Apr 6 23:18:07 UTC 2010 
Responsible-Changed-Why:  
Perhaps the folks on the jail mailing list can comment. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145444 
State-Changed-From-To: open->feedback 
State-Changed-By: delphij 
State-Changed-When: Wed Apr 7 00:55:02 UTC 2010 
State-Changed-Why:  
Dear submitter, 

By default, FreeBSD applies a devfs rule called "jail" if the jail 
is being started with rc.d script /etc/rc.d/jail.  Could you, please 
make sure that you are also using it this way?  This issue sounds 
like a security vulnerability but I can not reproduce on my own 
system, so maybe it's just a misconfiguration... 

Thanks for brining this to our attention! 


Responsible-Changed-From-To: freebsd-jail->secteam 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Wed Apr 7 00:55:02 UTC 2010 
Responsible-Changed-Why:  
Take as secteam@. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145444 

From: Dan Naumov <dan.naumov@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: RE: kern/145444: [jail] sysinstall and sade can access host's disks 
	from within a jail
Date: Wed, 7 Apr 2010 09:31:47 +0300

 I guess I should've also clarified that the jail was installed using
 ezjail and not completely manually.
 
 From the jail's configuration file at /usr/local/etc/ezjail/semipublic
 
 export jail_semipublic_devfs_enable="YES"
 export jail_semipublic_devfs_ruleset="devfsrules_jail"
 
 I am guessing that next I should try to build and install a jail in a
 purely manual fashion to see if the issue persists?
 
 
 - Dan

From: Andriy Gapon <avg@icyb.net.ua>
To: bug-followup@FreeBSD.org, dan.naumov@gmail.com
Cc:  
Subject: Re: kern/145444: [jail] sysinstall and sade can access host's disks
 from within a jail
Date: Wed, 07 Apr 2010 15:48:26 +0300

 I can reproduce this issue with stable/8, but it's probably just a R/O issue.
 The disk device nodes are _not_ visible in devfs of a jail, but sade(8) still sees
 them.
 
 I ran ktrace on sade and it seems that it _sees_ the devices via
 kern.geom.conftxt.  gpart can show the devices too, but it can't do any
 modifications because /dev/geom.ctl is not accessible from jail.
 
 -- 
 Andriy Gapon
State-Changed-From-To: feedback->open 
State-Changed-By: delphij 
State-Changed-When: Wed Apr 7 16:55:17 UTC 2010 
State-Changed-Why:  
Problem confirmed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145444 

From: Naumov Dan <Dan.Naumov@elisa.fi>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>
Cc:  
Subject: Re: kern/145444: [jail] sysinstall and sade can access host's disks
 from within a jail
Date: Mon, 26 Apr 2010 17:33:22 +0300

 Additionally:
 
 ------------
 dmesg -a
 ------------
 
 When run inside a jail, shows the output as if it was run from the host and=
  not the jail. These seem to be rather serious security issues for me.
 
 
 - Sincerely,
 Dan naumov
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Thu Aug 1 20:26:22 UTC 2013 
State-Changed-Why:  
I think we can close this item. Jails are known to be able to retrieve certain information from the 
host, but unless one can misuse this, it's probably not to be fixed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145444 
>Unformatted:
