From mjoyner@rv1.dynip.com  Wed Aug 13 18:04:09 2003
Return-Path: <mjoyner@rv1.dynip.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4AEF137B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 13 Aug 2003 18:04:09 -0700 (PDT)
Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9B2E243F3F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 13 Aug 2003 18:04:08 -0700 (PDT)
	(envelope-from mjoyner@rv1.dynip.com)
Received: from duron.rv1.dynip.com (c-66-177-119-177.se.client2.attbi.com[66.177.119.177](untrusted sender))
          by attbi.com (rwcrmhc12) with ESMTP
          id <2003081401040701400e1gide>; Thu, 14 Aug 2003 01:04:07 +0000
Received: from rv1.dynip.com (localhost [127.0.0.1])
	by duron.rv1.dynip.com (8.12.9/8.12.9) with ESMTP id h7E146Uc004540
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 13 Aug 2003 21:04:07 -0400 (EDT)
	(envelope-from mjoyner@rv1.dynip.com)
Message-Id: <3F3AE006.3040400@rv1.dynip.com>
Date: Wed, 13 Aug 2003 21:04:06 -0400
From: mjoyner <mjoyner@rv1.dynip.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: DUMP has access to block devices in a JAIL

>Number:         55568
>Category:       kern
>Synopsis:       DUMP can be used in JAIL
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 13 18:10:18 PDT 2003
>Closed-Date:    Thu Oct 16 23:26:56 PDT 2003
>Last-Modified:  Thu Oct 16 23:26:56 PDT 2003
>Originator:     System Administrator
>Release:        FreeBSD 5.1-RELEASE i386
>Organization:
>Environment:
System: FreeBSD eadmin.dyns.net 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Mon
Aug 11 15:5
3:58 EDT 2003
sysadmin@eadmin.dyns.net:/usr/src/sys/i386/compile/kernel.build.conf
i386


>Description:

         A jailed root user can use DUMP and gain a snapshot of the
entire disk.
         From there the jailed root user can restore files from the HOST
SYSTEM
         or any other jails at their leisure.

         Even if DEVFS is not mounted, a root user could possibly create a
         device node anyways, and one needs TTYS anyways.

         Some sort of check is not occurring in the disk access code that
         is needed to prevent JAILED users ANY raw access to the disk.

>How-To-Repeat:
         Run DUMP in a jailed environment.

>Fix:
         Add security checks on device access to prevent jailed users
         from gaining access to things they don't need access to.

         If this is a setting which can be changed, the default behavior
         needs to be more security conscious, or at least very very very
         clearly documented.


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: kris 
State-Changed-When: Wed Oct 8 15:23:07 PDT 2003 
State-Changed-Why:  
This looks like expected behaviour. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55568 

From: Kris Kennaway <kris@obsecurity.org>
To: mjoyner <mjoyner@rv1.dynip.com>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55568: DUMP has access to block devices in a JAIL
Date: Wed, 8 Oct 2003 15:23:02 -0700

 --r5Pyd7+fXNt84Ff3
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Wed, Aug 13, 2003 at 09:04:06PM -0400, mjoyner wrote:
 
 >          A jailed root user can use DUMP and gain a snapshot of the
 > entire disk.
 >          From there the jailed root user can restore files from the HOST
 > SYSTEM
 >          or any other jails at their leisure.
 
 Only if the administrator has configured the jail with the raw disk
 devices.  As you note, this is a security risk.
 
 >          Even if DEVFS is not mounted, a root user could possibly create a
 >          device node anyways, and one needs TTYS anyways.
 
 I believe this to be untrue.  root cannot make device nodes once
 inside a jail.
 
 Kris
 --r5Pyd7+fXNt84Ff3
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.3 (FreeBSD)
 
 iD8DBQE/hI5GWry0BWjoQKURAhUDAJ9ur2Mx80oBoMLiVeureSPO0yn24gCfTAg5
 dpRlB3rsH/h95CnJTrJ8xVw=
 =2bQ5
 -----END PGP SIGNATURE-----
 
 --r5Pyd7+fXNt84Ff3--

From: mjoyner <mjoyner@rv1.dynip.com>
To: Kris Kennaway <kris@obsecurity.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55568: DUMP has access to block devices in a JAIL
Date: Wed, 08 Oct 2003 23:33:50 -0400

 Where would one find documentation to prevent the jailed user from being 
 able to dump the raw partition(s)?
 
 Kris Kennaway wrote:
 > On Wed, Aug 13, 2003 at 09:04:06PM -0400, mjoyner wrote:
 > 
 > 
 >>         A jailed root user can use DUMP and gain a snapshot of the
 >>entire disk.
 >>         From there the jailed root user can restore files from the HOST
 >>SYSTEM
 >>         or any other jails at their leisure.
 > 
 > 
 > Only if the administrator has configured the jail with the raw disk
 > devices.  As you note, this is a security risk.
 > 
 > 
 >>         Even if DEVFS is not mounted, a root user could possibly create a
 >>         device node anyways, and one needs TTYS anyways.
 > 
 > 
 > I believe this to be untrue.  root cannot make device nodes once
 > inside a jail.
 > 
 > Kris
 

From: Kris Kennaway <kris@obsecurity.org>
To: mjoyner <mjoyner@rv1.dynip.com>
Cc: Kris Kennaway <kris@obsecurity.org>,
	FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55568: DUMP has access to block devices in a JAIL
Date: Wed, 8 Oct 2003 20:52:38 -0700

 --EeQfGwPcQSOJBaQU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Wed, Oct 08, 2003 at 11:33:50PM -0400, mjoyner wrote:
 > Where would one find documentation to prevent the jailed user from being=
 =20
 > able to dump the raw partition(s)?
 
 jails containing untrusted root users should only contain a minimum
 set of device nodes (the exact list would depend on what you want to
 do with the jail).  This is documented in the manpage.
 
 
 Kris
 
 --EeQfGwPcQSOJBaQU
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.3 (FreeBSD)
 
 iD8DBQE/hNuGWry0BWjoQKURAo61AJ98v98CVfCWSFqcHKIjGgC1WD/XZgCg0jX5
 mMwXmLzWH2/ksK8VoN3rtHo=
 =Rzej
 -----END PGP SIGNATURE-----
 
 --EeQfGwPcQSOJBaQU--
State-Changed-From-To: analyzed->closed 
State-Changed-By: kris 
State-Changed-When: Thu Oct 16 23:26:25 PDT 2003 
State-Changed-Why:  
Pointed submitter to the documentation about this feature. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55568 
>Unformatted:
