Jails have a problem in that if the jail directory is world-readable,

an attacker with root access to the jail can create a setuid binary for
their own use in the host environment (if they also have this access),
thus breaking root in the host.

This exploit is impossible if the jail's files are not world-readable.
Add instructions to the man page on how to create a jail with the
correct permissions set.

PR:		docs/156853
Submitted by:	Chris Rees (utisoft at gmail dot com)
Reviewed by:	cperciva (security parts)
MFC after:	9 days
This commit is contained in:
bcr 2011-05-08 12:16:39 +00:00
parent 37c4b4161f
commit c6debcf559

View File

@ -34,7 +34,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd January 17, 2010
.Dd May 8, 2011
.Dt JAIL 8
.Os
.Sh NAME
@ -431,7 +431,7 @@ command script can be used:
.Bd -literal
D=/here/is/the/jail
cd /usr/src
mkdir -p $D
mkdir -p -m 0700 $D
make world DESTDIR=$D
make distribution DESTDIR=$D
mount -t devfs devfs $D/dev
@ -448,6 +448,10 @@ in the per-jail devfs.
A simple devfs ruleset for jails is available as ruleset #4 in
.Pa /etc/defaults/devfs.rules .
.Pp
Non-superusers in the host system should not be able to access the
jail's files; otherwise an attacker with root access to the jail
could obtain elevated privileges on the host.
.Pp
In many cases this example would put far more in the jail than needed.
In the other extreme case a jail might contain only one file:
the executable to be run in the jail.