Date: Tue, 23 Jan 2007 12:34:44 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival <cperciva@freebsd.org>, "Simon L. Nielsen" <simon@FreeBSD.org> Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] Message-ID: <20070123113444.GB11767@garage.freebsd.pl> In-Reply-To: <20070120152423.3195b15b@Magellan.Leidinger.net> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> <20070120152423.3195b15b@Magellan.Leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--BwCQnh7xodEAoBMC Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote: > Quoting Pawel Jakub Dawidek <pjd@FreeBSD.org> (Sat, 20 Jan 2007 14:03:08 = +0100): >=20 > > I fully agree that console.log should be outside a jail. At least noone > > proposed safe solution so far, which also means it's not an easy fix. >=20 > What's unsafe about my proposal? I did had a look at the code now, and > it should work (with minor mods). >=20 > Original: > ---snip--- > _tmp_jail=3D${_tmp_dir}/jail.$$ > eval jail ${_flags} -i ${_rootdir} ${_hostname} \ > ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1 >=20 > if [ "$?" -eq 0 ] ; then > _jail_id=3D$(head -1 ${_tmp_jail}) > i=3D1 > while [ true ]; do > eval out=3D\"\${_exec_afterstart${i}:-''}= \" >=20 > if [ -z "$out" ]; then > break; > fi >=20 > jexec "${_jail_id}" ${out} > i=3D$((i + 1)) > done >=20 > echo -n " $_hostname" > tail +2 ${_tmp_jail} >${_consolelog} > echo ${_jail_id} > /var/run/jail_${_jail}.id > ---snip--- >=20 > Pseudocode proposal, not tested (changes prefixed with 'x'): > ---snip--- > _tmp_jail=3D${_tmp_dir}/jail.$$ > x # assuming safe _consolelog (inside chroot) according > to the > x # previous mails here in the thread > x eval (echo "" ; \ > x jail ${_flags} -I /var/run/jail_${_jail}.id \ > x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \ > x > ${_consolelog} 2>&1 >=20 > if [ "$?" -eq 0 ] ; then > x _jail_id=3D$(cat /var/run/jail_${_jail}.id) > i=3D1 > while [ true ]; do > eval out=3D\"\${_exec_afterstart${i}:-''}= \" >=20 > if [ -z "$out" ]; then > break; > fi >=20 > jexec "${_jail_id}" ${out} > i=3D$((i + 1)) > done >=20 > echo -n " $_hostname" > x > x > ---snip--- >=20 > Repeating my points: > - sanitize the consolelog path like discussed in this thread > - the jail is not running, so nobody can create a link (jail > root within FS space of another jail still prohibited) > - subshell to group echo and jail > - 'echo ""' to make sure the file exists when the jail starts > - (new) additional flag to jail to write a jid file > - redirect to the consolelog, it is still open from the echo > when the jail starts so there's no race >=20 > I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it > is line buffered, so the above works. >=20 > Where's the security problem in the above? It looks like it may work, but I still find it a bit risky. If sh(1) can reopen the file under some conditions or someone in the future will modify sh(1) in that way (because he won't be aware that such a change may have impact on system security) we will have a security hole. Chances are small, but I'm not going to be the one who will accept that change:) --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --BwCQnh7xodEAoBMC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFtfLUForvXbEpPzQRAoo1AJ9Q/u5YAPeHsQiOUBCEEOR8BzKuoACbBnQH g1ixkeanvC5aURwI48b/TW4= =TDkY -----END PGP SIGNATURE----- --BwCQnh7xodEAoBMC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070123113444.GB11767>