From owner-freebsd-stable@FreeBSD.ORG Sat Jan 20 11:40:27 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6421816A400; Sat, 20 Jan 2007 11:40:27 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from postfix2-g20.free.fr (postfix2-g20.free.fr [212.27.60.43]) by mx1.freebsd.org (Postfix) with ESMTP id 832F413C47E; Sat, 20 Jan 2007 11:40:26 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29]) by postfix2-g20.free.fr (Postfix) with ESMTP id 6CA2094331A; Sat, 20 Jan 2007 11:17:29 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp3-g19.free.fr (Postfix) with ESMTP id 8C4B14A1FC; Sat, 20 Jan 2007 12:17:14 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 830589D41F; Sat, 20 Jan 2007 11:18:36 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 4B670405D; Sat, 20 Jan 2007 12:18:36 +0100 (CET) Date: Sat, 20 Jan 2007 12:18:36 +0100 From: Jeremie Le Hen To: Colin Percival Message-ID: <20070120111836.GF99833@obiwan.tataz.chchile.org> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45A6DB76.40800@freebsd.org> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 11:40:27 -0000 Hi Colin, On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote: > Hello Everyone, > > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after applying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. > > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail), make an assumption > about how systems are configured (filesystems which are mounted via per-jail > fstab files should not be mounted on symlinks -- if you do this, adjust your > fstab files to give the real, non-symlinked, path to the mount point), and > leave a potential security problem unfixed (if you mount any filesystems via > per-jail fstab files on mount points which are visible within multiple jails, > there are problems -- don't do this). > > While this is not ideal, this security issue was extraordinarily messy due to > the power and flexibility of the jails and the jail rc.d script. I can't > recall any other time when the security team has spent this long trying to > find a working patch for a security issue. I'd like to publicly thank Simon > Nielsen for the many many hours he spent working on this issue, as well as > the release engineering team for being very patient with us and delaying the > upcoming release to give us time to fix this. Thank you very much to Simon Nielsen for the work being accomplished. According to the patch itself, it is clear he should have spent much time to resolve this issue. However both Pawel and Dirk seem to have proposed less limitating solutions. I understand we are talking about security and we may not have much time experimenting every solutions on RELENG_6. Nonetheless CURRENT the one place to experiment such solutions with a larger audience and I would be very pleased to see a less restrictive workaround for this problem. Indeed I'm using the same setup as Pawel (/jail -> /usr/jail). Thank you for your work as a security officer. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >