Jails have a problem in that if the jail directory is world-readable, an
attacker with root access to the jail can create a setuid binary for their own use in the host environment (if they also have this access), thus breaking root in the host. This exploit is impossible if the jail's files are not world-readable. Add instructions to the handbook on how to create a jail with the correct permissions set. PR: docs/156853 Submitted by: Chris Rees (utisoft at gmail dot com) Reviewed by: cperciva (security parts)
This commit is contained in:
Benedict Reuschling
parent
18eac60982
commit
a79c1cdd91
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=37232
1 changed files with 13 additions and 3 deletions
|
|
@ -240,7 +240,7 @@
|
|||
the procedure for building a jail:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>setenv D <replaceable>/here/is/the/jail</replaceable></userinput>
|
||||
&prompt.root; <userinput>mkdir -p $D</userinput> <co id="jailpath">
|
||||
&prompt.root; <userinput>mkdir -p -m 0700 $D</userinput> <co id="jailpath"> <co id="chmod">
|
||||
&prompt.root; <userinput>cd /usr/src</userinput>
|
||||
&prompt.root; <userinput>make buildworld</userinput> <co id="jailbuildworld">
|
||||
&prompt.root; <userinput>make installworld DESTDIR=$D</userinput> <co id="jailinstallworld">
|
||||
|
|
@ -261,6 +261,16 @@
|
|||
of the &os; base system.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="chmod">
|
||||
<para>It is important to restrict access to the jail from the host
|
||||
system to ensure that i.e. setuid files created in the jail
|
||||
are not usable in the host system; otherwise an attacker with root
|
||||
access to the jail could create a setuid program in the jail and
|
||||
execute it in the host. For similar reasons it is a bad idea to
|
||||
share read/write <application>nullfs</application> mounts between
|
||||
jails, although <application>NFS</application> is fine.</para>
|
||||
</callout>
|
||||
|
||||
<callout arearefs="jailbuildworld">
|
||||
<para>If you have already rebuilt your userland using
|
||||
<command>make world</command> or <command>make buildworld</command>,
|
||||
|
|
@ -667,7 +677,7 @@ jail_<replaceable>www</replaceable>_devfs_ruleset="<replaceable>www_ruleset</rep
|
|||
install the read-only file system to the jail
|
||||
template:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>mkdir /home/j /home/j/mroot</userinput>
|
||||
<screen>&prompt.root; <userinput>mkdir -m 0700 /home/j && mkdir /home/j/mroot</userinput>
|
||||
&prompt.root; <userinput>cd /usr/src</userinput>
|
||||
&prompt.root; <userinput>make installworld DESTDIR=/home/j/mroot</userinput></screen>
|
||||
</step>
|
||||
|
|
@ -831,7 +841,7 @@ jail_www_devfs_enable="YES"</programlisting>
|
|||
job *and* have the advantage of being part of the base
|
||||
system of FreeBSD? -->
|
||||
|
||||
<screen>&prompt.root; <userinput>mkdir /home/js</userinput>
|
||||
<screen>&prompt.root; <userinput>mkdir -m 0700 /home/js</userinput>
|
||||
&prompt.root; <userinput>cpdup /home/j/skel /home/js/ns</userinput>
|
||||
&prompt.root; <userinput>cpdup /home/j/skel /home/js/mail</userinput>
|
||||
&prompt.root; <userinput>cpdup /home/j/skel /home/js/www</userinput></screen>
|
||||
|
|
|
|||
Loading…
Reference in a new issue