From owner-freebsd-security@FreeBSD.ORG Wed Jul 13 12:38:15 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0911A16A41C for ; Wed, 13 Jul 2005 12:38:15 +0000 (GMT) (envelope-from smajor@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80F6143D49 for ; Wed, 13 Jul 2005 12:38:14 +0000 (GMT) (envelope-from smajor@gmail.com) Received: by zproxy.gmail.com with SMTP id n1so97246nzf for ; Wed, 13 Jul 2005 05:38:13 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:x-pgp-universal:to:subject:date:mime-version:x-mailer:thread-index:x-mimeole:content-type:from:message-id; b=L9tH8/HI94MHEkbWiXbIzFJSkCkAxOhaK+IEsN8H3DgjdirSV9m0imTlVX5nkvxVT/vFo8SM62J4f/Bnsl4rr7pURKKbCPWAiKokSTE3kei5dzIoLsKHDEkDnTNcdJBgTlEOAYU74/nl2IcDMJ5o81rNyfSApwzILzi7W3WkTjM= Received: by 10.36.33.19 with SMTP id g19mr759340nzg; Wed, 13 Jul 2005 05:38:13 -0700 (PDT) Received: from p3 ([67.183.215.121]) by mx.gmail.com with ESMTP id 6sm937656nzn.2005.07.13.05.38.13; Wed, 13 Jul 2005 05:38:13 -0700 (PDT) Received: from p3 by p3 (PGP Universal service); Wed, 13 Jul 2005 05:38:13 -0800 X-PGP-Universal: processed; by p3 on Wed, 13 Jul 2005 05:38:13 -0800 To: Date: Wed, 13 Jul 2005 05:38:11 -0700 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcWHp7rtIzKAYEcyQmG89BJDyuM9ow== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="PGP_Universal_F43A239B_82CB5422_280CA257_B220DF93" From: Stephen Major Message-ID: <42d50b35.2cc05bcb.3cf5.ffffa209@mx.gmail.com> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: mijail- Multiple IP's in a Jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2005 12:38:15 -0000 --PGP_Universal_F43A239B_82CB5422_280CA257_B220DF93 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable I have searched around the lists and Google and found this HYPERLINK "http://people.freebsd.org/~pjd/patches/jail_2004120901.patch"http://peop= le. freebsd.org/~pjd/patches/jail_2004120901.patch =20 =20 I was wondering if anyone know of a multiple IP patch that works with FreeBSD 5.4 =20 I really do not understand why this is not included in the standard jail I mean sure jail is handy for such things as small daemons =20 But what about the applications such as a shell server Or a web server=20 =20 They require multiple IP=92s and the thought of running a jail for every = shell account 32+ IP=92s =20 That is extremely far fetched. --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: 7/12/2005 =20 --PGP_Universal_F43A239B_82CB5422_280CA257_B220DF93 Content-Type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig Content-Disposition: attachment; filename=PGP.sig -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQtULNaKXvLS903/FAQpc+AgAh8XugniZlXsNAgO+2fO0jT2nhubN1+o1 H2Nszi4y2LxMgsxSH5QgwD0OS7qs/UUZc5JCmSSb2QzNtCF3v2VDw1CHKL67ZFD1 fgL9P4NOcMYa5ke9RB5/S6wKk7JIlZjTNO87fNQa3JN0zipz2I2yPiI7N9Bq/8hw rhTT3xc9Dlabx3yvZxTWvg7Qjxy0+aH2d70Jj6pYpvaenayux7x488z2HbYK0QXa HnGMSChDx6t3E9wSTFr8S072JHVE+H/JBgfge8gq0cj8dGFnbuyreh7D5yhsptfl liGxycQiYnlHep4wbsH1U5i3DwxITvsQAtCLy2xMKup8QNT+ePxL9w== =OG2m -----END PGP SIGNATURE----- --PGP_Universal_F43A239B_82CB5422_280CA257_B220DF93-- From owner-freebsd-security@FreeBSD.ORG Wed Jul 13 15:27:58 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDCC416A41C for ; Wed, 13 Jul 2005 15:27:58 +0000 (GMT) (envelope-from r2bit@neti.ee) Received: from mail.neti.ee (smtp-out-3.neti.ee [194.126.101.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DE3043D45 for ; Wed, 13 Jul 2005 15:27:57 +0000 (GMT) (envelope-from r2bit@neti.ee) Received: from localhost (virtual.estpak.ee [194.126.101.112]) by Relayhost2.neti.ee (Postfix) with ESMTP id B41F316BB for ; Wed, 13 Jul 2005 18:27:54 +0300 (EEST) Received: from 80-235-0-252-dsl.jhv.estpak.ee (80-235-0-252-dsl.jhv.estpak.ee [80.235.0.252]) by webmail.elion.ee (IMP) with HTTP for ; Wed, 13 Jul 2005 18:27:52 +0300 Message-ID: <1121268472.42d532f8c6cf2@webmail.elion.ee> Date: Wed, 13 Jul 2005 18:27:52 +0300 From: r2bit@neti.ee To: freebsd-security@freebsd.org References: <42d50b35.2cc05bcb.3cf5.ffffa209@mx.gmail.com> In-Reply-To: <42d50b35.2cc05bcb.3cf5.ffffa209@mx.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.2 X-Virus-Scanned: by amavisd-new-2.2.1 (20041222) (Debian) at neti.ee Subject: Re: mijail- Multiple IP's in a Jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2005 15:27:58 -0000 Check out http://blog.mombe.org/systems/mijail5.html?seemore=y. It worked for my 5.3. But keep in mind that there's no perfect solution yet - this mentioned patch ruins the DNS. > I have searched around the lists and Google and found this > > HYPERLINK > "http://people.freebsd.org/~pjd/patches/jail_2004120901.patch"http://people. > freebsd.org/~pjd/patches/jail_2004120901.patch > > > > > > I was wondering if anyone know of a multiple IP patch that works with > FreeBSD 5.4 > > > > I really do not understand why this is not included in the standard jail > > I mean sure jail is handy for such things as small daemons > > > > But what about the applications such as a shell server > > Or a web server > > > > They require multiple IP’s and the thought of running a jail for every shell > account 32+ IP’s > > > > That is extremely far fetched. > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: 7/12/2005 > > From owner-freebsd-security@FreeBSD.ORG Thu Jul 14 11:13:36 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A61A16A41C for ; Thu, 14 Jul 2005 11:13:36 +0000 (GMT) (envelope-from tobez@tobez.org) Received: from heechee.tobez.org (heechee.tobez.org [217.157.39.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC63943D45 for ; Thu, 14 Jul 2005 11:13:35 +0000 (GMT) (envelope-from tobez@tobez.org) Received: by heechee.tobez.org (Postfix, from userid 1001) id 0EE47125494; Thu, 14 Jul 2005 13:13:34 +0200 (CEST) Date: Thu, 14 Jul 2005 13:13:34 +0200 From: Anton Berezin To: Michael Scheidell Message-ID: <20050714111334.GE84181@heechee.tobez.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Powered-By: FreeBSD http://www.freebsd.org/ X-Mailman-Approved-At: Thu, 14 Jul 2005 13:04:14 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Perl master site changed to tobez.org? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 11:13:36 -0000 Michael, Sorry I did not reply earlier, I was on vacation. On Wed, Jun 29, 2005 at 05:37:16PM -0400, Michael Scheidell wrote: > Tobez: no disrespect intended, obviously you saw a problem with the > master sites for perl 5.8.7 and did what you could to help, and with > your position as a maintainer, I know that the trust we have in you and > your patches is well earned, so don't take this question as anything but > my well-earned paranoia rearing its ugly head: > > Yes, building perl5.8.7 did seem like it had a lot of problems with the > master_sites which is why I went to the freebsd ports cvs tree and > looked to see if they fixed it, however, I believe it would be prudent > for me to ask: > > How safe is this your site? > And, yes, in some of my build scripts I pull the distfiles from our > local system due to some issues with some of the sites, however, how > safe is tobez.org from hacking? > (ok, so, how safe is OUR site from hacking) or anyone's for that matter, > so please don't take this as a challenge. I have enough to do not to > have to go rebuilding our servers. I think you are missing several things here: 1. The ":local" suffix there represents an example of the use of the existing support for master site groups. In particular, only BSDPAN and the defined-or patch can in principle be stored there, not the perl tarball itself. 2. Unless you use master sites randomization, tobez.org will be the last place to go for the files in question. 3. Most importantly, if you do not trust existing md5 and size ditsinfo checks, you should not probably use the ports collection at all. I hope this addresses your concerns, Cheers, \Anton. -- The moronity of the universe is a monotonically increasing function. -- Jarkko Hietaniemi From owner-freebsd-security@FreeBSD.ORG Thu Jul 14 15:17:57 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9658116A41C for ; Thu, 14 Jul 2005 15:17:57 +0000 (GMT) (envelope-from frol@nerve.riss-telecom.ru) Received: from nerve.riss-telecom.ru (nerve.riss-telecom.ru [80.66.65.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8DC443D48 for ; Thu, 14 Jul 2005 15:17:56 +0000 (GMT) (envelope-from frol@nerve.riss-telecom.ru) Received: from nerve.riss-telecom.ru (jok3vhsd2rcz5u9s@localhost [127.0.0.1]) by nerve.riss-telecom.ru (8.13.1/8.13.1) with ESMTP id j6EFHekB037009; Thu, 14 Jul 2005 22:17:40 +0700 (NOVST) (envelope-from frol@nerve.riss-telecom.ru) Received: (from frol@localhost) by nerve.riss-telecom.ru (8.13.1/8.13.1/Submit) id j6EFHd8i037008; Thu, 14 Jul 2005 22:17:39 +0700 (NOVST) (envelope-from frol) Date: Thu, 14 Jul 2005 22:17:39 +0700 From: Dmitry Frolov To: r2bit@neti.ee Message-ID: <20050714151739.GA35428@nerve.riss-telecom.ru> Mail-Followup-To: r2bit@neti.ee, freebsd-security@freebsd.org References: <42d50b35.2cc05bcb.3cf5.ffffa209@mx.gmail.com> <1121268472.42d532f8c6cf2@webmail.elion.ee> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1121268472.42d532f8c6cf2@webmail.elion.ee> Organization: RISS-Telecom, JSC X-PGP-Fingerprint: 5232 98E7 596E 21C2 52B5 FCAE 8088 3F87 88BC 27B0 User-Agent: Mutt/1.5.6i Cc: freebsd-security@freebsd.org Subject: Re: mijail- Multiple IP's in a Jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 15:17:57 -0000 * r2bit@neti.ee [13.07.2005 22:28]: > Check out http://blog.mombe.org/systems/mijail5.html?seemore=y. It worked for my > 5.3. But keep in mind that there's no perfect solution yet - this mentioned > patch ruins the DNS. I have a patch updated for 5.3 that also seem to fix outgoing UDP problem: ftp://ftp.riss-telecom.ru/pub/patches/fbsd53b7-mijail.diff I'm running with this patch for more than half a year. Not tried on 5.4 yet. > > > I have searched around the lists and Google and found this > > > > HYPERLINK > > "http://people.freebsd.org/~pjd/patches/jail_2004120901.patch"http://people. > > freebsd.org/~pjd/patches/jail_2004120901.patch > > > > I was wondering if anyone know of a multiple IP patch that works with > > FreeBSD 5.4 > > I really do not understand why this is not included in the standard jail > > I mean sure jail is handy for such things as small daemons > > But what about the applications such as a shell server > > Or a web server > > They require multiple IP’s and the thought of running a jail for every > shell > > account 32+ IP’s > > That is extremely far fetched. wbr&w, dmitry. -- Dmitry Frolov RISS-Telecom Network, Novosibirsk, Russia 66415911@ICQ, +7 3832 NO WA1T, DVF-RIPE From owner-freebsd-security@FreeBSD.ORG Thu Jul 14 15:34:43 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 101B716A430 for ; Thu, 14 Jul 2005 15:34:43 +0000 (GMT) (envelope-from smajor@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B8EC43D49 for ; Thu, 14 Jul 2005 15:34:41 +0000 (GMT) (envelope-from smajor@gmail.com) Received: by zproxy.gmail.com with SMTP id l1so235901nzf for ; Thu, 14 Jul 2005 08:34:41 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:x-pgp-universal:to:subject:date:mime-version:x-mailer:x-mimeole:thread-index:x-content-pgp-universal-saved-content-transfer-encoding:x-content-pgp-universal-saved-content-type:content-transfer-encoding:content-type:from:message-id; b=gP0logJcHAoSi1fK9ysTZBXJZVdhoyVwQ2fhoGdA1d1CTJjh3Zq5A8Q9EcEQL1C0Tm87nKy5t3JCFdVuWDVak4lxRzg8z4NdGaMB3RoTNLEq5JeLWyFvBgRfVd4vOxGalTbQSpQ/I9v/KG8mLRdbsIILbpUuCGRTLG7neAt3kfA= Received: by 10.36.19.13 with SMTP id 13mr491613nzs; Thu, 14 Jul 2005 08:34:41 -0700 (PDT) Received: from p3 ([67.183.215.121]) by mx.gmail.com with ESMTP id 36sm1939560nzk.2005.07.14.08.34.40; Thu, 14 Jul 2005 08:34:41 -0700 (PDT) Received: from p3 by p3 (PGP Universal service); Thu, 14 Jul 2005 08:34:09 -0800 X-PGP-Universal: processed; by p3 on Thu, 14 Jul 2005 08:34:09 -0800 To: Date: Thu, 14 Jul 2005 08:34:06 -0700 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcWIh0dpcVIjOTBbSbS9LFzntes9OQAAiLyg X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: 7bit X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" From: Stephen Major Message-ID: <42d68611.3d14a9e2.4569.73e9@mx.gmail.com> Subject: RE: mijail- Multiple IP's in a Jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 15:34:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Thank you! Does anyone have a local 5.4 system they can test this out on? I only have a remote system, and do not want to risk the server Not booting up. - -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Dmitry Frolov Sent: Thursday, July 14, 2005 8:18 AM To: r2bit@neti.ee Cc: freebsd-security@freebsd.org Subject: Re: mijail- Multiple IP's in a Jail * r2bit@neti.ee [13.07.2005 22:28]: > Check out http://blog.mombe.org/systems/mijail5.html?seemore=y. It worked for my > 5.3. But keep in mind that there's no perfect solution yet - this mentioned > patch ruins the DNS. I have a patch updated for 5.3 that also seem to fix outgoing UDP problem: ftp://ftp.riss-telecom.ru/pub/patches/fbsd53b7-mijail.diff I'm running with this patch for more than half a year. Not tried on 5.4 yet. > > > I have searched around the lists and Google and found this > > > > HYPERLINK > > "http://people.freebsd.org/~pjd/patches/jail_2004120901.patch"http://people. > > freebsd.org/~pjd/patches/jail_2004120901.patch > > > > I was wondering if anyone know of a multiple IP patch that works with > > FreeBSD 5.4 > > I really do not understand why this is not included in the standard jail > > I mean sure jail is handy for such things as small daemons > > But what about the applications such as a shell server > > Or a web server > > They require multiple IP’s and the thought of running a jail for every > shell > > account 32+ IP’s > > That is extremely far fetched. wbr&w, dmitry. - -- Dmitry Frolov RISS-Telecom Network, Novosibirsk, Russia 66415911@ICQ, +7 3832 NO WA1T, DVF-RIPE _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQtaF8aKXvLS903/FAQozPggAxQdh3rxyUxl9Z53BX8rZpzz5eurMIeyo EBowsltlO34KNRw72I/CQxITOV920VtDFymIQ71+W4md3Q1uq8DPVMhqm+H+7XKI EcH5g9mqQR/hbGLP2Ku4gb0xyGcfoEcar2A1WAaVqycDw+tNRWbCGm4TuOqGodZN RhvXw47OjVQLC3cS+ylEknhvsTgKxTKtWCH00JKm8TIwQt7thDgJ1PhSm5Q7br6M IFPWAwRb450W12uakpipoTk9xpabmkSvv1798Vo3JI8KOlQI+sUyoHJm2hg89Ad4 uqc1yhxIfAo+oL6DvOaocEnjuYPcfKx30KwadktDdk4OELvF/x9omA== =dl2/ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jul 14 16:26:58 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E5F716A41C for ; Thu, 14 Jul 2005 16:26:58 +0000 (GMT) (envelope-from lists-freebsd@silverwraith.com) Received: from keylime.silverwraith.com (keylime.silverwraith.com [69.55.228.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0AFB43D45 for ; Thu, 14 Jul 2005 16:26:57 +0000 (GMT) (envelope-from lists-freebsd@silverwraith.com) Received: from avleen by keylime.silverwraith.com with local (Exim 4.41 (FreeBSD)) id 1Dt6Y4-000NJ5-Mj for freebsd-security@freebsd.org; Thu, 14 Jul 2005 09:26:56 -0700 Date: Thu, 14 Jul 2005 09:26:56 -0700 From: Avleen Vig To: freebsd-security@freebsd.org Message-ID: <20050714162656.GH11612@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: [ronvdaal@zarathustra.linux666.com: Possible security issue with FreeBSD 5.4 jailing and BPF] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 16:26:58 -0000 This message was sent to bugtraq today: While playing around with FreeBSD 5.4 and jailing I discovered that it was possible to put an ethernet interface into promiscious mode from within the jailed environment, allowing a packetsniffer to gather data not meant for the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x This can be reproduced on boxes where BPF support is enabled in the kernel and a BPF device is available in the jail (badly configured devfs/no rules) The problem lies within the FreeBSD 5.x BPF kernel code: "The Berkeley Packet Filter provides a raw interface to data link layers in a protocol independent fashion. The function bpfopen() opens an Ethernet device. There is a conditional which disallows any jailed processes from accessing this function." This conditional was present in the 4.x series kernels but is missing in 5.x and thus allowing free access to bpfopen() from within a jailed environment. I think this is related to the changed jailing code between these kernels. I don't believe this has been left out on purpose in favor of devfs rulesets (...) If not, I'd like to have some comments on this. Example: jail# uname -a FreeBSD jail 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 The ethernet interface of the host (parent) is not in promiscious mode. The interface of the jailed environment isn't in promiscious mode either: jail# ifconfig | grep fxp0 fxp0: flags=8843 mtu 1500 Now starting tcpdump in the jail: jail# tcpdump -i fxp0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes Checking the interface again within the jail: jail# ifconfig | grep fxp0 fxp0: flags=8943 mtu 1500 The interface is running in promiscious mode. The host environment shows that the tcpdump process runs in a jail: root@nietzsche# ps aux|grep tcpdump root 50551 0.0 0.9 3784 2248 p4 S+J 8:37PM 0:00.04 tcpdump - -i fxp0 The P_JAILED flag is set. Conclusion: Usage of devfs rulesets is highly recommended as stated in the manpages. Though a misconfiguration at this point would expose a big security issue. The question is: should bpfopen() in bpf.c check for a jailed proc or not? Grt, Ron van Daal From owner-freebsd-security@FreeBSD.ORG Thu Jul 14 16:52:53 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A49E16A41C for ; Thu, 14 Jul 2005 16:52:53 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCD1F43D49 for ; Thu, 14 Jul 2005 16:52:52 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 3A0AF11A79; Thu, 14 Jul 2005 18:52:51 +0200 (CEST) Date: Thu, 14 Jul 2005 18:52:51 +0200 From: "Simon L. Nielsen" To: Avleen Vig Message-ID: <20050714165250.GA972@zaphod.nitro.dk> References: <20050714162656.GH11612@silverwraith.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline In-Reply-To: <20050714162656.GH11612@silverwraith.com> User-Agent: Mutt/1.5.9i Cc: freebsd-security@freebsd.org Subject: Re: [ronvdaal@zarathustra.linux666.com: Possible security issue with FreeBSD 5.4 jailing and BPF] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 16:52:53 -0000 --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.07.14 09:26:56 -0700, Avleen Vig wrote: > This message was sent to bugtraq today: Please see the thread on full-disclosure as to why this is not an issue. http://lists.grok.org.uk/pipermail/full-disclosure/2005-July/035036.html Unfortunately the poster sent separate mails to full-disclosure and bugtraq, so the followups where only set to full-disclosure (since we saw the mail first there). > While playing around with FreeBSD 5.4 and jailing I discovered that it was > possible to put an ethernet interface into promiscious mode from within t= he > jailed environment, allowing a packetsniffer to gather data not meant for > the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.= x=20 > This can be reproduced on boxes where BPF support is enabled in the kerne= l=20 > and a BPF device is available in the jail (badly configured devfs/no rule= s) [...] --=20 Simon L. Nielsen --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFC1phih9pcDSc1mlERArK8AKCyjLnHW4VZ/1e2lOv2dcuQp8QNYgCgsBzl D9EMAVDLnjkIlvqxD/V61Mk= =GDb9 -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C-- From owner-freebsd-security@FreeBSD.ORG Thu Jul 14 17:04:31 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0903516A41C for ; Thu, 14 Jul 2005 17:04:31 +0000 (GMT) (envelope-from ricardo_bsd@yahoo.com.br) Received: from maritaca.epm.br (diego.epm.br [200.17.25.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BB4043D45 for ; Thu, 14 Jul 2005 17:04:30 +0000 (GMT) (envelope-from ricardo_bsd@yahoo.com.br) Received: from localhost (localhost.localdomain [127.0.0.1]) by maritaca.epm.br (Postfix) with ESMTP id 4EBC43A6F; Thu, 14 Jul 2005 14:04:25 -0300 (BRST) Received: from [172.22.1.166] (ricardo.epm.br [172.22.1.166]) by maritaca.epm.br (Postfix) with ESMTP id 906FA3A6B; Thu, 14 Jul 2005 14:03:58 -0300 (BRST) Message-ID: <42D69AF8.1000304@yahoo.com.br> Date: Thu, 14 Jul 2005 14:03:52 -0300 From: Ricardo A Reis User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050706) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Avleen Vig References: <20050714162656.GH11612@silverwraith.com> In-Reply-To: <20050714162656.GH11612@silverwraith.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit UNIFESP-Virus-Scanned: by amavisd-new at dis.epm.br Cc: freebsd-security@freebsd.org Subject: Re: [ronvdaal@zarathustra.linux666.com: Possible security issue with FreeBSD 5.4 jailing and BPF] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 17:04:31 -0000 I starting jail + devfs rules, in 5.4-STABLE using rc.conf. See the real entrie.. ------------------ jail_vhosts_rootdir="/usr/jail/vhosts" jail_vhosts_hostname="vhosts.epm.br" jail_vhosts_ip="127.0.0.3" jail_vhosts_exec_start="/bin/sh /etc/rc" jail_vhosts_exec_stop="/bin/sh /etc/rc.shutdown" jail_vhosts_devfs_enable="YES" jail_vhosts_fdescfs_enable="NO" jail_vhosts_procfs_enable="YES" jail_vhosts_mount_enable="NO" jail_vhosts_devfs_ruleset="devfsrules_jail" ----"this use default default devfs rule for best security in jail enviroment" jail_vhosts_fstab="" ---------------------- In Jail i test your possible issue !!! vhosts# ifconfig rl0: flags=8843 mtu 1500 options=8 ether 00:08:54:1a:68:b1 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.3 netmask 0xffffffff pflog0: flags=141 mtu 33208 vhosts# tcpdump -nni rl0 tcpdump: (no devices found) /dev/bpf0: No such file or directory vhosts# tcpdump -nni lo0 tcpdump: (no devices found) /dev/bpf0: No such file or directory Atenciosamente Ricardo A. Reis UNIFESP - SENAI Unix and System Admin >This message was sent to bugtraq today: > > >While playing around with FreeBSD 5.4 and jailing I discovered that it was >possible to put an ethernet interface into promiscious mode from within the >jailed environment, allowing a packetsniffer to gather data not meant for >the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x >This can be reproduced on boxes where BPF support is enabled in the kernel >and a BPF device is available in the jail (badly configured devfs/no rules) > >The problem lies within the FreeBSD 5.x BPF kernel code: > >"The Berkeley Packet Filter provides a raw interface to data link layers >in a protocol independent fashion. The function bpfopen() opens an >Ethernet device. There is a conditional which disallows any jailed >processes from accessing this function." > >This conditional was present in the 4.x series kernels but is missing >in 5.x and thus allowing free access to bpfopen() from within a jailed >environment. I think this is related to the changed jailing code between >these kernels. I don't believe this has been left out on purpose in favor >of devfs rulesets (...) If not, I'd like to have some comments on this. > > >Example: > >jail# uname -a >FreeBSD jail 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC >2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 > >The ethernet interface of the host (parent) is not in promiscious mode. >The interface of the jailed environment isn't in promiscious mode either: > >jail# ifconfig | grep fxp0 >fxp0: flags=8843 mtu 1500 > > >Now starting tcpdump in the jail: > >jail# tcpdump -i fxp0 >tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes > > >Checking the interface again within the jail: > >jail# ifconfig | grep fxp0 >fxp0: flags=8943 mtu 1500 > >The interface is running in promiscious mode. > > >The host environment shows that the tcpdump process runs in a jail: > >root@nietzsche# ps aux|grep tcpdump >root 50551 0.0 0.9 3784 2248 p4 S+J 8:37PM 0:00.04 tcpdump >- -i fxp0 > >The P_JAILED flag is set. > > >Conclusion: > >Usage of devfs rulesets is highly recommended as stated in the manpages. >Though a misconfiguration at this point would expose a big security issue. >The question is: should bpfopen() in bpf.c check for a jailed proc or not? > > >Grt, > >Ron van Daal >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > >