On Fri, 28 Dec 2007, Johan Ström wrote:
On Dec 28, 2007, at 13:41 , Edwin Groothuis wrote:
On Fri, Dec 28, 2007 at 01:15:38PM +0100, Johan Str?m wrote:
Thats my home dir on core!.. That should very much not be visible there! I
have full access now (from the wrong jail!)
Known bug or did I just stumble upon something pretty bad??
You didn't really break out of it, the person who managed the machine did
something he shouldn't have done: Moving the directories while the jail(s)
were running. It should be mentioned in the BUGS section of the jail(8)
command.
Yes, thats true.. Without "super-root" doing that the "breakout" would never
happen. But still a bug, so yes I guess it should be mentioned in BUGS (and
handbook too? not sure where this kind of "special features" are noted)
unless its fixed.
While the results are potentially confusing, this is actually an intentional
design choice. Jails are not intended to provide complete isolation, rather,
unintrusive and low-overhead containment. As long as untrusted processes are
working with the file system namespace exposed to the jail, the privileged
root user should be very cautious about trusting those bits of namespace, just
as they should be cautious with bits of file system namespace writable by
regular users. In order to prevent these kinds of issues, we'd need to use
more intensive isolation of the file system components visible in the jail,
such as allowing access to a particular object only "within" or "outside" of
the jail, rather than both. If the man page doesn't have a cautionary note on
users outside the jail trusting data in the jail, it should do so.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
