Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

misc/142341: Jail escape when cwd is moved from the host system

0 views

Skip to first unread message

Vedad KAJTAZ

unread,

Jan 5, 2010, 4:40:23 AM1/5/10

to freebsd-gn...@freebsd.org

>Number: 142341
>Category: misc
>Synopsis: Jail escape when cwd is moved from the host system
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 05 09:40:02 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Vedad KAJTAZ
>Release: 7.2-RELEASE-p4
>Organization:
Vedad KAJTAZ
>Environment:
FreeBSD kenny.osilex.net 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 ro...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Given the following setup:

- A host system
- A jail system located in /usr/local/jails/J1 on the host system
- A shell open in the jail system, with cwd set to /some/path (therefore, /usr/local/jails/J1/some/path on the host system).

When the root moves the /usr/local/jails/J1/some/path folder somewhere else (say in /usr/local/jails/J2/some/path), the jail shell (as any other jail process) in no longer rooted and has access to the whole filesystem on the host.
Though this is not a common situation, it may happen (and did happen to me).

Best regards,
>How-To-Repeat:
Always repeatable
>Fix:
None known

>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebs...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs...@freebsd.org"

0 new messages