Escape from jails in FreeBSD
The developers of FreeBSD say that it may be possible to break out of a jail. Jails allow processes to be locked in so that they can only access part of the file system and not use a couple of other potentially dangerous functions. Even if an attacker gets complete control of a process in the jail, he cannot do much damage because he shouldn't be able to break out of the jail, not even with root rights.
Unfortunately, a flaw in the jail script (jail rc.d(8)) allows for access to resources outside of the jail via symbolic links; files can then be overwritten, and attackers can gain access to the system's root rights, among other things. The developers list one candidate for possible misuse in their security advisory: if the /var/log/console.log file in the jail is replaced by a symbolic link, the attacker can break out of the jail. Then, the mount points in the directory structure can also be manipulated.
On the other hand, the flaw can only be exploited when the jail script is being launched or stopped. All FreeBSD versions since 5.3 are affected. The problem has been remedied in more recent FreeBSD versions. A patch is also available for FreeBSD 5.5, 6.0, and 6.1. The last time such a flaw in FreeBSD was made public was at the beginning of 2004.
- Jail rc.d script privilege escalation, FreeBSD's security advisory