From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 05:18:39 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3E61516A407 for ; Sun, 14 Jan 2007 05:18:39 +0000 (UTC) (envelope-from randy@psg.com) Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by mx1.freebsd.org (Postfix) with ESMTP id 2546413C486 for ; Sun, 14 Jan 2007 05:18:39 +0000 (UTC) (envelope-from randy@psg.com) Received: from cust16202.lava.net ([64.65.95.74] helo=[192.168.0.100]) by rip.psg.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.66 (FreeBSD)) (envelope-from ) id 1H5xlO-000GdR-3B; Sun, 14 Jan 2007 05:18:38 +0000 Message-ID: <45A9BD24.70703@psg.com> Date: Sat, 13 Jan 2007 19:18:28 -1000 From: Randy Bush User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Garance A Drosihn References: <17832.37104.392873.671721@roam.psg.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Permission denied by op X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 05:18:39 -0000 Garance A Drosihn wrote: > Try a: ls -lo /usr/local/etc/op.access > and see if some of the chflags-style options have been turned on. hi glarance! long time. # ls -lo /usr/local/etc/op.access -r-------- 1 root wheel - 112 Jan 13 19:48 /usr/local/etc/op.access randy From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 06:49:42 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6124A16A894 for ; Sun, 14 Jan 2007 06:49:42 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp6.server.rpi.edu (smtp6.server.rpi.edu [128.113.2.226]) by mx1.freebsd.org (Postfix) with ESMTP id 05DB213C725 for ; Sun, 14 Jan 2007 06:23:25 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp6.server.rpi.edu (8.13.1/8.13.1) with ESMTP id l0E5GYlg004362; Sun, 14 Jan 2007 00:16:35 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: <17832.37104.392873.671721@roam.psg.com> References: <17832.37104.392873.671721@roam.psg.com> Date: Sun, 14 Jan 2007 00:16:33 -0500 To: Randy Bush , freebsd-security@freebsd.org From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) Cc: Subject: Re: Permission denied by op X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 06:49:42 -0000 At 9:57 PM -1000 1/12/07, Randy Bush wrote: >i am invoking op from a python proggy which does an op.system() of > > op chmod 640 /usr/local/etc/tac_plus.conf > >i get "Permission denied by op" > >% ls -l /usr/local/etc/op.access >-r-------- 1 root wheel 149 Jan 13 07:41 /usr/local/etc/op.access Try a: ls -lo /usr/local/etc/op.access and see if some of the chflags-style options have been turned on. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 11:47:13 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6AEA516A407 for ; Sun, 14 Jan 2007 11:47:13 +0000 (UTC) (envelope-from kobajashi@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.freebsd.org (Postfix) with ESMTP id 0514813C448 for ; Sun, 14 Jan 2007 11:47:10 +0000 (UTC) (envelope-from kobajashi@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so1739019nfc for ; Sun, 14 Jan 2007 03:47:09 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=BJsz59dKI6m8Qzk/iEPPqJ2WA52p5bfBLHU6AhWRAyv4dVQmXlNyIFpgU6hvv5ChIq0ie7ee9hQxGPXDn3pwwQIINQ+eRYle8Nif9Fs8My0I8/AhqBfgziUPmo7m94NEGadHnS1/PG4f+6URPVIw2rmvQ9Pd0qvrSYwpwDKRllA= Received: by 10.82.135.13 with SMTP id i13mr414399bud.1168773599198; Sun, 14 Jan 2007 03:19:59 -0800 (PST) Received: by 10.82.153.11 with HTTP; Sun, 14 Jan 2007 03:19:59 -0800 (PST) Message-ID: <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com> Date: Sun, 14 Jan 2007 12:19:59 +0100 From: "Kobajashi Zaghi" To: freebsd-security@freebsd.org, cperciva@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: MOAB advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 11:47:13 -0000 Hi Colin! I would like to know, that these following "vulnerabilities" does affect FreeBSD's reliability? If the answer is "yes", what version of FreeBSD affected, when will be fixed, etc. http://projects.info-pull.com/moab/MOAB-12-01-2007.html http://projects.info-pull.com/moab/MOAB-10-01-2007.html Thank you! -- kobi From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 12:29:20 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0C5C316A407 for ; Sun, 14 Jan 2007 12:29:20 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from 0.mail.spammertrap.net (0.mail.spammertrap.net [204.89.241.173]) by mx1.freebsd.org (Postfix) with ESMTP id CD74A13C45E for ; Sun, 14 Jan 2007 12:29:19 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id C547717027 for ; Sun, 14 Jan 2007 07:11:42 -0500 (EST) X-Quarantine-ID: X-Virus-Scanned: SpammerTrap(tm) SME-250 1.60 at spammertrap.net X-Spam-Score: -7.549 X-Spam-Level: X-Spam-Status: No, score=-7.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, DK_POLICY_SIGNSOME=0.001, LOCAL_RCVD=-5, SPF_PASS=-0.001] Received: by 0.mail.spammertrap.net (Postfix, from userid 1002) id 6702217029; Sun, 14 Jan 2007 07:11:40 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 4710B17021 for ; Sun, 14 Jan 2007 07:11:40 -0500 (EST) X-Quarantine-ID: Received: from secnap2.secnap.com (secnap2.secnap.com [204.89.241.128]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 3D5971701D for ; Sun, 14 Jan 2007 07:11:38 -0500 (EST) Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Date: Sun, 14 Jan 2007 07:12:24 -0500 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: MOAB advisories thread-index: Acc30gv7xalj9/xYTbalVQ648MdPNwAAvUig From: "Michael Scheidell" To: "Kobajashi Zaghi" , Cc: Subject: RE: MOAB advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 12:29:20 -0000 Why would you think any of these had anything to do with Freebsd? They all clearly state 'Apple DMG'. (a compressed disk image only for Apple Max OSX) --=20 Michael Scheidell, CTO SECNAP Network Security Corporation Web based Security and privacy Training: http://www.secnap.com/training ----------------------------------------------------------------- This email has been scanned and certified safe by SpammerTrap(tm) For Information please see http://www.spammertrap.com From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 12:45:59 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F9DF16A40F for ; Sun, 14 Jan 2007 12:45:59 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from 0.mail.spammertrap.net (0.mail.spammertrap.net [204.89.241.173]) by mx1.freebsd.org (Postfix) with ESMTP id F0C8E13C455 for ; Sun, 14 Jan 2007 12:45:58 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 892DA17017 for ; Sun, 14 Jan 2007 07:13:03 -0500 (EST) X-Quarantine-ID: X-Virus-Scanned: SpammerTrap(tm) SME-250 1.60 at spammertrap.net X-Spam-Score: -7.562 X-Spam-Level: X-Spam-Status: No, score=-7.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, DK_POLICY_SIGNSOME=0.001, LOCAL_RCVD=-5, SPF_PASS=-0.001] Received: by 0.mail.spammertrap.net (Postfix, from userid 1002) id E183317025; Sun, 14 Jan 2007 07:13:00 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id C2EFC1701E for ; Sun, 14 Jan 2007 07:13:00 -0500 (EST) X-Quarantine-ID: <6CvGTclM2c1Q> Received: from secnap2.secnap.com (secnap2.secnap.com [204.89.241.128]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 90A1F1701D for ; Sun, 14 Jan 2007 07:12:55 -0500 (EST) Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Date: Sun, 14 Jan 2007 07:13:41 -0500 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: MOAB advisories thread-index: Acc30gv7xalj9/xYTbalVQ648MdPNwAA00pA From: "Michael Scheidell" To: "Kobajashi Zaghi" , Cc: Subject: RE: MOAB advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 12:45:59 -0000 Never mind, advisory states it affects freebsd 6.1. ----------------------------------------------------------------- This email has been scanned and certified safe by SpammerTrap(tm) For Information please see http://www.spammertrap.com From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 15:25:19 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2891816A54C for ; Sun, 14 Jan 2007 15:25:19 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 085F113C43E for ; Sun, 14 Jan 2007 15:25:17 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from working (c-71-60-174-60.hsd1.pa.comcast.net [71.60.174.60]) (AUTH: LOGIN wmoran, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Sun, 14 Jan 2007 10:15:16 -0500 id 0005643A.45AA4904.0000CF3B Date: Sun, 14 Jan 2007 10:15:15 -0500 From: Bill Moran To: "Kobajashi Zaghi" Message-Id: <20070114101515.adaecd4e.wmoran@collaborativefusion.com> In-Reply-To: <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com> References: <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed version 2.2.10 (GTK+ 2.10.6; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: MOAB advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 15:25:19 -0000 "Kobajashi Zaghi" wrote: > > I would like to know, that these following "vulnerabilities" does > affect FreeBSD's reliability? If the answer is "yes", what version of > FreeBSD affected, when will be fixed, etc. > > http://projects.info-pull.com/moab/MOAB-12-01-2007.html > http://projects.info-pull.com/moab/MOAB-10-01-2007.html These folks are establishing themselves as careless, alarmist, and uneducated when it comes to kernel bugs. In FreeBSD, the above mentioned flaws can, indeed, cause a kernel panic. However, this is intended behaviour when a corrupt filesystem is encountered. It protects the system from serious damage that could result from trying to work with the corrupt filesystem. The difference, that the info-pull folks seem to be too stupid to understand, is that FreeBSD does not allow mounting of filesystems by anyone other than root. If someone with root access wants to DoS your system, then don't need any flaws, they could just rm -rf /, or other nasty actions. Apple made the mistake of making a function that was designed to be usable by an administrator-only accessible to the average user. Doing this requires that lots and lots of code be investigated and updated. Places where it makes sense to intentionally call panic() in FreeBSD require less drastic and considerably more complex action in Mac OS. Apparently, Apple didn't review this carefully enough. The thing that amazes me is that the info-pull folks are smart enough to uncover these issues, but too stupid to accurately report them and their consequences. -Bill From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 16:06:38 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BB40B16A415 for ; Sun, 14 Jan 2007 16:06:38 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 8261A13C461 for ; Sun, 14 Jan 2007 16:06:38 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from working (c-71-60-174-60.hsd1.pa.comcast.net [71.60.174.60]) (AUTH: LOGIN wmoran, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Sun, 14 Jan 2007 11:06:37 -0500 id 0005644F.45AA550D.0000D237 Date: Sun, 14 Jan 2007 11:06:36 -0500 From: Bill Moran To: Alexander Leidinger Message-Id: <20070114110636.b8d84c4c.wmoran@collaborativefusion.com> In-Reply-To: <20070114170124.432d882f@Magellan.Leidinger.net> References: <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com> <20070114101515.adaecd4e.wmoran@collaborativefusion.com> <20070114170124.432d882f@Magellan.Leidinger.net> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed version 2.2.10 (GTK+ 2.10.6; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Kobajashi Zaghi , freebsd-security@freebsd.org Subject: Re: MOAB advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 16:06:38 -0000 Alexander Leidinger wrote: > > Quoting Bill Moran (Sun, 14 Jan 2007 10:15:15 -0500): > > > "Kobajashi Zaghi" wrote: > > > > > > I would like to know, that these following "vulnerabilities" does > > > affect FreeBSD's reliability? If the answer is "yes", what version of > > > FreeBSD affected, when will be fixed, etc. > > > > > > http://projects.info-pull.com/moab/MOAB-12-01-2007.html > > > http://projects.info-pull.com/moab/MOAB-10-01-2007.html > > > > These folks are establishing themselves as careless, alarmist, and > > uneducated when it comes to kernel bugs. > > > > In FreeBSD, the above mentioned flaws can, indeed, cause a kernel panic. > > However, this is intended behaviour when a corrupt filesystem is > > encountered. It protects the system from serious damage that could > > result from trying to work with the corrupt filesystem. > > > > The difference, that the info-pull folks seem to be too stupid to > > understand, is that FreeBSD does not allow mounting of filesystems > > by anyone other than root. > > Except root did set the sysctl to allow this, or started a HAL daemon > which mounts stuff for the desktop user, or uses amd to mount stuff. All decisions made by root. It's always possible, on any system, for an administrative user to set up a configuration that is insecure or unsafe, that doesn't mean that it's a flaw in the system. Quite the contrary, any system that attempts to limit an administrator's power to keep things secure becomes inflexible, and nearly useless. -Bill From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 16:20:03 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0BC0116A407 for ; Sun, 14 Jan 2007 16:20:02 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id B15D113C44B for ; Sun, 14 Jan 2007 16:20:00 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5DEEC.dip.t-dialin.net [84.165.222.236]) by redbull.bpaserver.net (Postfix) with ESMTP id 6E6DF2E0A7; Sun, 14 Jan 2007 17:08:26 +0100 (CET) Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1]) by outgoing.leidinger.net (Postfix) with ESMTP id 063E45B497E; Sun, 14 Jan 2007 17:01:25 +0100 (CET) Date: Sun, 14 Jan 2007 17:01:24 +0100 From: Alexander Leidinger To: Bill Moran Message-ID: <20070114170124.432d882f@Magellan.Leidinger.net> In-Reply-To: <20070114101515.adaecd4e.wmoran@collaborativefusion.com> References: <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com> <20070114101515.adaecd4e.wmoran@collaborativefusion.com> X-Mailer: Claws Mail 2.7.0 (GTK+ 2.10.7; i686-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.864, required 6, autolearn=not spam, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Mon, 15 Jan 2007 01:26:53 +0000 Cc: Kobajashi Zaghi , freebsd-security@freebsd.org Subject: Re: MOAB advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 16:20:03 -0000 Quoting Bill Moran (Sun, 14 Jan 2007 10:15:15 -0500): > "Kobajashi Zaghi" wrote: > > > > I would like to know, that these following "vulnerabilities" does > > affect FreeBSD's reliability? If the answer is "yes", what version of > > FreeBSD affected, when will be fixed, etc. > > > > http://projects.info-pull.com/moab/MOAB-12-01-2007.html > > http://projects.info-pull.com/moab/MOAB-10-01-2007.html > > These folks are establishing themselves as careless, alarmist, and > uneducated when it comes to kernel bugs. > > In FreeBSD, the above mentioned flaws can, indeed, cause a kernel panic. > However, this is intended behaviour when a corrupt filesystem is > encountered. It protects the system from serious damage that could > result from trying to work with the corrupt filesystem. > > The difference, that the info-pull folks seem to be too stupid to > understand, is that FreeBSD does not allow mounting of filesystems > by anyone other than root. Except root did set the sysctl to allow this, or started a HAL daemon which mounts stuff for the desktop user, or uses amd to mount stuff. Bye, Alexander. -- Lt. Dan: "Have you found Jesus yet Gump?" Forrest Gump: "I didn't know I was supposed to be looking for him - Sir!" http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 16:43:20 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D6B1616A417 for ; Sun, 14 Jan 2007 16:43:20 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 9377513C45E for ; Sun, 14 Jan 2007 16:43:20 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5DEEC.dip.t-dialin.net [84.165.222.236]) by redbull.bpaserver.net (Postfix) with ESMTP id 13F082E0A7; Sun, 14 Jan 2007 17:50:14 +0100 (CET) Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1]) by outgoing.leidinger.net (Postfix) with ESMTP id 3BA455B497E; Sun, 14 Jan 2007 17:43:12 +0100 (CET) Date: Sun, 14 Jan 2007 17:43:11 +0100 From: Alexander Leidinger To: Bill Moran Message-ID: <20070114174311.6247e81d@Magellan.Leidinger.net> In-Reply-To: <20070114110636.b8d84c4c.wmoran@collaborativefusion.com> References: <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com> <20070114101515.adaecd4e.wmoran@collaborativefusion.com> <20070114170124.432d882f@Magellan.Leidinger.net> <20070114110636.b8d84c4c.wmoran@collaborativefusion.com> X-Mailer: Claws Mail 2.7.0 (GTK+ 2.10.7; i686-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.864, required 6, autolearn=not spam, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Mon, 15 Jan 2007 01:27:56 +0000 Cc: Kobajashi Zaghi , freebsd-security@freebsd.org Subject: Re: MOAB advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 16:43:20 -0000 Quoting Bill Moran (Sun, 14 Jan 2007 11:06:36 -0500): > Alexander Leidinger wrote: > > > > Quoting Bill Moran (Sun, 14 Jan 2007 10:15:15 -0500): > > > > > "Kobajashi Zaghi" wrote: > > > > > > > > I would like to know, that these following "vulnerabilities" does > > > > affect FreeBSD's reliability? If the answer is "yes", what version of > > > > FreeBSD affected, when will be fixed, etc. > > > > > > > > http://projects.info-pull.com/moab/MOAB-12-01-2007.html > > > > http://projects.info-pull.com/moab/MOAB-10-01-2007.html > > > > > > These folks are establishing themselves as careless, alarmist, and > > > uneducated when it comes to kernel bugs. > > > > > > In FreeBSD, the above mentioned flaws can, indeed, cause a kernel panic. > > > However, this is intended behaviour when a corrupt filesystem is > > > encountered. It protects the system from serious damage that could > > > result from trying to work with the corrupt filesystem. > > > > > > The difference, that the info-pull folks seem to be too stupid to > > > understand, is that FreeBSD does not allow mounting of filesystems > > > by anyone other than root. > > > > Except root did set the sysctl to allow this, or started a HAL daemon > > which mounts stuff for the desktop user, or uses amd to mount stuff. > > All decisions made by root. Yes. I just wanted to point out that it only is a non-issue when root didn't made specific configuration operations. Those configs are ok, as long as you know about the consequences. We do not have warnings about this in all places where we should have them. Bye, Alexander. -- Ohh, my son doesn't stand a chance! The whole world has gone gay! -- Homer Simpson Homer's Phobia http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-security@FreeBSD.ORG Mon Jan 15 20:23:24 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 467DC16A416 for ; Mon, 15 Jan 2007 20:23:24 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [80.237.196.4]) by mx1.freebsd.org (Postfix) with ESMTP id 9371713C461 for ; Mon, 15 Jan 2007 20:23:23 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: (qmail 83512 invoked by uid 0); 15 Jan 2007 19:56:13 -0000 Received: from fuckup.club.berlin.ccc.de (HELO ?23.23.23.91?) (erdgeist@erdgeist.org@195.160.172.2) by elektropost.org with AES256-SHA encrypted SMTP; 15 Jan 2007 19:56:13 -0000 Message-ID: <45ABDC7C.6060407@erdgeist.org> Date: Mon, 15 Jan 2007 20:56:44 +0100 From: Dirk Engling User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: "Pawel Jakub Dawidek" References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> In-Reply-To: <20070113112937.GI90718@garage.freebsd.pl> X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jan 2007 20:23:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pawel Jakub Dawidek wrote: > I'll keep /var/log/console.log outside a jail, because using > 'realpath -c' will be dangerous once the jail is running. There could be > a race where `realpath -c` returns one path, an attacker inside a jail > changes one of resolved path's component and rc.d/jail from outside a > jail tries to use it. A simple way to prevent race conditions (here an example to mount devfs into jails) is: cd ${jail_root} j_root=`pwd` cd ${jail_dev_dir} j_dev=`pwd` eval evil_doer=\$\{j_dev#${j_root}\} [ "$evil_doer" = "$j_dev" ] && exit mount_devfs devfs . To do the same with console.log (I _really_ like this feature and would want it re-enabled asap) you can use something like: cd ${jail_root} j_root=`pwd` cd ${jail_var_log_dir} j_var_log=`pwd` eval evil_doer=\$\{j_var_log#${j_root}\} [ "$evil_doer" = "$j_var_log" ] && exit cp -f ${temp_log} console.log Regards erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFq9x8ImmQdUyYEgkRAhcjAJ9DYuE4Dfe7A+MexLZ7UgQOgUd12ACgjoxO 4SlRxdYlOXsAVDvfeSeu+e8= =Xz64 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Jan 15 21:09:07 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4219C16A4D4 for ; Mon, 15 Jan 2007 21:09:07 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id BC52B13C45A for ; Mon, 15 Jan 2007 21:09:06 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id C1FAB487F3; Mon, 15 Jan 2007 22:09:04 +0100 (CET) Received: from localhost (154.81.datacomsa.pl [195.34.81.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 36BE646DA5; Mon, 15 Jan 2007 22:09:00 +0100 (CET) Date: Mon, 15 Jan 2007 22:08:26 +0100 From: Pawel Jakub Dawidek To: Dirk Engling Message-ID: <20070115210826.GA2839@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline In-Reply-To: <45ABDC7C.6060407@erdgeist.org> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jan 2007 21:09:07 -0000 --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 15, 2007 at 08:56:44PM +0100, Dirk Engling wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Pawel Jakub Dawidek wrote: >=20 > > I'll keep /var/log/console.log outside a jail, because using > > 'realpath -c' will be dangerous once the jail is running. There could be > > a race where `realpath -c` returns one path, an attacker inside a jail > > changes one of resolved path's component and rc.d/jail from outside a > > jail tries to use it. >=20 > A simple way to prevent race conditions (here an example to mount devfs > into jails) is: >=20 > cd ${jail_root} > j_root=3D`pwd` > cd ${jail_dev_dir} > j_dev=3D`pwd` > eval evil_doer=3D\$\{j_dev#${j_root}\} > [ "$evil_doer" =3D "$j_dev" ] && exit > mount_devfs devfs . # ls -l /jails lrwxr-x--- 1 root wheel 9 15 sty 21:58 /jails -> usr/jails # jail_root=3D"/usr/jails" # jail_dev_dir=3D"/jails/dev" # cd ${jail_root} # j_root=3D`pwd` # echo $j_root /usr/jails # cd ${jail_dev_dir} # j_dev=3D`pwd` # echo $j_dev /jails/dev # eval evil_doer=3D\$\{j_dev#${j_root}\} # echo $evil_doer /jails/dev # [ "$evil_doer" =3D "$j_dev" ] && echo "false positive" false positive In other words, it may break existing configurations. > To do the same with console.log (I _really_ like this feature and would > want it re-enabled asap) you can use something like: >=20 > cd ${jail_root} > j_root=3D`pwd` > cd ${jail_var_log_dir} > j_var_log=3D`pwd` > eval evil_doer=3D\$\{j_var_log#${j_root}\} > [ "$evil_doer" =3D "$j_var_log" ] && exit --> Race <-- > cp -f ${temp_log} console.log --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFq+1KForvXbEpPzQRAvBQAKDKPf9UMqlZduQJV77Ht1UjJmltIACeJcap z/+nWkDBY6Yp2yNSYhtNQTU= =RTyD -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- From owner-freebsd-security@FreeBSD.ORG Mon Jan 15 21:15:37 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8365B16A4F8 for ; Mon, 15 Jan 2007 21:15:37 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [80.237.196.4]) by mx1.freebsd.org (Postfix) with ESMTP id 49E1513C4DB for ; Mon, 15 Jan 2007 21:15:30 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: (qmail 13948 invoked by uid 0); 15 Jan 2007 21:14:57 -0000 Received: from fuckup.club.berlin.ccc.de (HELO ?23.23.23.91?) (erdgeist@erdgeist.org@195.160.172.2) by elektropost.org with AES256-SHA encrypted SMTP; 15 Jan 2007 21:14:57 -0000 Message-ID: <45ABEEEE.4030609@erdgeist.org> Date: Mon, 15 Jan 2007 22:15:26 +0100 From: Dirk Engling User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> In-Reply-To: <20070115210826.GA2839@garage.freebsd.pl> X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jan 2007 21:15:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pawel Jakub Dawidek wrote: > In other words, it may break existing configurations. Sorry, I meant "pwd -P" and assumed that, according to pwds man page, to be default. >> cd ${jail_root} >> j_root=`pwd` >> cd ${jail_var_log_dir} >> j_var_log=`pwd` >> eval evil_doer=\$\{j_var_log#${j_root}\} >> [ "$evil_doer" = "$j_var_log" ] && exit > > --> Race <-- > >> cp -f ${temp_log} console.log No, since that directory is your cwd, you operate on ./ which wont change by setting soft links along the path. You won't even be able to remove that directory in the first place since the directories vnode is locked. Regards erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFq+7tImmQdUyYEgkRAiJ2AJoCdbM8rPn8F/8atVBRzwGcJOZhHQCeO6Hi ILSZnZ7jgsUhOiZi3M6fkDo= =0IXe -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Jan 15 22:01:29 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DFB5216A47E for ; Mon, 15 Jan 2007 22:01:29 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 82EB013C4CC for ; Mon, 15 Jan 2007 22:01:27 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 0C75F46DA5; Mon, 15 Jan 2007 23:01:26 +0100 (CET) Received: from localhost (154.81.datacomsa.pl [195.34.81.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id C00B5487F4; Mon, 15 Jan 2007 23:01:13 +0100 (CET) Date: Mon, 15 Jan 2007 23:00:39 +0100 From: Pawel Jakub Dawidek To: Dirk Engling Message-ID: <20070115220039.GB2839@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uQr8t48UFsdbeI+V" Content-Disposition: inline In-Reply-To: <45ABEEEE.4030609@erdgeist.org> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jan 2007 22:01:30 -0000 --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 15, 2007 at 10:15:26PM +0100, Dirk Engling wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Pawel Jakub Dawidek wrote: >=20 > > In other words, it may break existing configurations. >=20 > Sorry, I meant "pwd -P" and assumed that, according to pwds man page, to > be default. Ok, this may work... > > --> Race <-- > >=20 > >> cp -f ${temp_log} console.log >=20 > No, since that directory is your cwd, you operate on ./ which wont > change by setting soft links along the path. You won't even be able to > remove that directory in the first place since the directories vnode is > locked. console.log can still be a softlink. I don't see option for cp(1) which allows to not following symlinks, so I'd suggest 'mv -f' instead - rename(2) doesn't follow symlinks. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --uQr8t48UFsdbeI+V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFq/mHForvXbEpPzQRAmCjAJ4lsJhGf06lcbj3MYYOe0IhWAsvTgCeJfOF uV+zaNeiFv+ZlOHsKfphh8M= =gmTr -----END PGP SIGNATURE----- --uQr8t48UFsdbeI+V-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 01:27:15 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AAFC316A407 for ; Tue, 16 Jan 2007 01:27:15 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [80.237.196.4]) by mx1.freebsd.org (Postfix) with ESMTP id 069A213C441 for ; Tue, 16 Jan 2007 01:27:14 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: (qmail 95769 invoked by uid 0); 16 Jan 2007 01:26:46 -0000 Received: from fuckup.club.berlin.ccc.de (HELO ?23.23.23.91?) (erdgeist@erdgeist.org@195.160.172.2) by elektropost.org with AES256-SHA encrypted SMTP; 16 Jan 2007 01:26:46 -0000 Message-ID: <45AC29EA.70009@erdgeist.org> Date: Tue, 16 Jan 2007 02:27:06 +0100 From: Dirk Engling User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> In-Reply-To: <20070115220039.GB2839@garage.freebsd.pl> X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 01:27:15 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pawel Jakub Dawidek wrote: > On Mon, Jan 15, 2007 at 10:15:26PM +0100, Dirk Engling wrote: >>>> cp -f ${temp_log} console.log > console.log can still be a softlink. I don't see option for cp(1) which > allows to not following symlinks, so I'd suggest 'mv -f' instead - > rename(2) doesn't follow symlinks. Please try the "cp -f" before guessing, what it might do ;) cp -f removes anything on that location before relinking the new file. Atomically. Exactly, what we need. So since there is nothing that might be a soft link - by definition - it might not be followed. Regards erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFrCnqImmQdUyYEgkRAqcFAJ93O1PjHYbzYrhhZvPvoqhrkTBimQCfX+Fh QSoeWf63jJzIVJdGd0rHa04= =SHur -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 01:43:39 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ADE3016A416 for ; Tue, 16 Jan 2007 01:43:39 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id 80C4313C4A5 for ; Tue, 16 Jan 2007 01:43:39 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mr6so.prod.shaw.ca (pd3mr6so-qfe3.prod.shaw.ca [10.0.141.21]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JBX0086BU4QHHC0@l-daemon> for freebsd-security@freebsd.org; Mon, 15 Jan 2007 18:43:38 -0700 (MST) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd3mr6so.prod.shaw.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0JBX00KG8U4PUBB2@pd3mr6so.prod.shaw.ca> for freebsd-security@freebsd.org; Mon, 15 Jan 2007 18:43:37 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JBX004WNU4HN510@l-daemon> for freebsd-security@freebsd.org; Mon, 15 Jan 2007 18:43:30 -0700 (MST) Received: (qmail 45396 invoked from network); Tue, 16 Jan 2007 01:47:12 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Tue, 16 Jan 2007 01:47:12 +0000 Date: Mon, 15 Jan 2007 17:47:11 -0800 From: Colin Percival In-reply-to: <45AC29EA.70009@erdgeist.org> To: Dirk Engling Message-id: <45AC2E9F.20901@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 01:43:39 -0000 Dirk Engling wrote: > Please try the "cp -f" before guessing, what it might do ;) > > cp -f removes anything on that location before relinking the new file. > Atomically. No. `cp -f` unlinks the existing file and creates a new file, but will still follow a symlink if one is created between the "unlink" syscall and the "open" syscall. /* remove existing destination file name, * create a new file */ (void)unlink(to.p_path); if (!lflag) to_fd = open(to.p_path, O_WRONLY | O_TRUNC | O_CREAT, fs->st_mode & ~(S_ISUID | S_ISGID)); Colin Percival From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 02:17:19 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1B06316A415 for ; Tue, 16 Jan 2007 02:17:19 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [80.237.196.4]) by mx1.freebsd.org (Postfix) with ESMTP id 6A40B13C44B for ; Tue, 16 Jan 2007 02:17:18 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: (qmail 39262 invoked by uid 0); 16 Jan 2007 02:16:49 -0000 Received: from fuckup.club.berlin.ccc.de (HELO ?23.23.23.91?) (erdgeist@erdgeist.org@195.160.172.2) by elektropost.org with AES256-SHA encrypted SMTP; 16 Jan 2007 02:16:49 -0000 Message-ID: <45AC35A6.7090103@erdgeist.org> Date: Tue, 16 Jan 2007 03:17:10 +0100 From: Dirk Engling User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Colin Percival References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> <45AC2E9F.20901@freebsd.org> In-Reply-To: <45AC2E9F.20901@freebsd.org> X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 02:17:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Colin Percival wrote: > No. `cp -f` unlinks the existing file and creates a new file, but will > still follow a symlink if one is created between the "unlink" syscall and > the "open" syscall. > > /* remove existing destination file name, > * create a new file */ > (void)unlink(to.p_path); > if (!lflag) > to_fd = open(to.p_path, O_WRONLY | O_TRUNC | O_CREAT, > fs->st_mode & ~(S_ISUID | S_ISGID)); You are right. Atomically in binary is not atomical enough. mv in its rename()-form will do the job, so we need to create a file in . by mktemp and mv it to the real name when filled. Regards erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFrDWmImmQdUyYEgkRAgSgAJ0c5mcaM4LByBUE0LC1Iqdj8ZFSAACdF9qM fFETX4I+Fvue0u+343bBG8c= =MkSh -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 03:42:36 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 84F8516A40F; Tue, 16 Jan 2007 03:42:36 +0000 (UTC) (envelope-from bde@zeta.org.au) Received: from mailout1.pacific.net.au (mailout1-3.pacific.net.au [61.8.2.210]) by mx1.freebsd.org (Postfix) with ESMTP id 48E0D13C45E; Tue, 16 Jan 2007 03:42:36 +0000 (UTC) (envelope-from bde@zeta.org.au) Received: from mailproxy2.pacific.net.au (mailproxy2.pacific.net.au [61.8.2.163]) by mailout1.pacific.net.au (Postfix) with ESMTP id E2A325A0F48; Tue, 16 Jan 2007 14:42:19 +1100 (EST) Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailproxy2.pacific.net.au (Postfix) with ESMTP id BAFDC2743A; Tue, 16 Jan 2007 14:42:18 +1100 (EST) Date: Tue, 16 Jan 2007 14:42:17 +1100 (EST) From: Bruce Evans X-X-Sender: bde@delplex.bde.org To: Dirk Engling In-Reply-To: <45AC35A6.7090103@erdgeist.org> Message-ID: <20070116133259.N5056@delplex.bde.org> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> <45AC2E9F.20901@freebsd.org> <45AC35A6.7090103@erdgeist.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Pawel Jakub Dawidek , Colin Percival Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 03:42:36 -0000 On Tue, 16 Jan 2007, Dirk Engling wrote: > Colin Percival wrote: > >> No. `cp -f` unlinks the existing file and creates a new file, but will >> still follow a symlink if one is created between the "unlink" syscall and >> the "open" syscall. > ... > You are right. Atomically in binary is not atomical enough. > > mv in its rename()-form will do the job, so we need to create a file in > . by mktemp and mv it to the real name when filled. install -S already implements this, but not robustly enough to be secure. It only creates the temporary file if the target doesn't already exists, so it is subject to the usual races otherwise. 'S' stands for "safe" (no-clobber), not secure, so this is reasonable. However, it can easily be made both safer (actually no-clobber) and securer by opening the file with O_EXCL and exiting if the file exists at the time of the open. Perhaps cp -f should do the same. (Both have paths where they do a forced unlink() followed by an open(). This open() can easily use O_EXCL). mv(1) can never be trusted to use its rename() form since it uses copying to move across file systems and there is no way to control this. mv(1)'s rewriting of "mv file dir" to "rename file dir/file" is also a problem (I keep rename(1) handy to avoid it). I haven't followed most of this thread so I don't know what the attacker can do here. Changing the target to a symlink to a directory on a different file system would exploit both of the problems in mv. Bruce From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 08:29:34 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A3BC516A40F; Tue, 16 Jan 2007 08:29:34 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 5C27213C45E; Tue, 16 Jan 2007 08:29:34 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1H6jhB-0000Ma-N0; Tue, 16 Jan 2007 11:29:30 +0300 Date: Tue, 16 Jan 2007 11:29:22 +0300 From: Eygene Ryabinkin To: Remko Lodder Message-ID: <20070116082922.GA1035@codelabs.ru> References: <20070111064156.GM14822@codelabs.ru> <20070111072235.GA79783@elvandar.org> <20070111075616.GB20642@codelabs.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070111075616.GB20642@codelabs.ru> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.5 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-security@freebsd.org, cperciva@freebsd.org Subject: Re: Recent vulnerabilities in xorg-server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 08:29:34 -0000 Gentlemen! May I remind you about Xorg issues. Or you're already identified them as false-positive? I can not see the vulnerability in the http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml?rev=. so I assume that it was either considered false or not yes processed. Thanks! Thu, Jan 11, 2007 at 10:56:16AM +0300, Eygene Ryabinkin wrote: > Remko, good day! > > > Thanks for the notification! We are kinda busy at the > > moment, so if you could spare a minute and write a > > VuXML entry (a draft would also suffice), we can > > more easily add it. If you are unable to do so, no > > probs, but it is likely to take a bit longer to > > get the things incorporated. > Attached. The discovery date is given by the date of the > original posts in Securityfocus bugtraq list: > http://www.securityfocus.com/archive/1/456437/30/0/threaded > http://www.securityfocus.com/archive/1/456434/30/0/threaded > http://www.securityfocus.com/archive/1/456434/30/0/threaded > > The disclosure timeline is different (the same for all three posts): > ----- > VIII. DISCLOSURE TIMELINE > > 12/04/2006 Initial vendor notification > 12/05/2006 Initial vendor response > 01/09/2007 Coordinated public disclosure > ----- > > > Thanks for using FreeBSD and your willingness to improve > > the product! It is being appriciated. > You're welcome ;)) > -- > Eygene > > xorg-server -- multiple vulnerabilities. > > > xorg-server > 6.9.0_5 > > > > >
>

x11r6.9.0-dbe-render.diff

>

CVE-2006-6101 CVE-2006-6102 CVE-2006-6103: The > ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and > ProcRenderAddGlyphs() functions in the X server, implementing > requests for the dbe and render extensions, may be used to > overwrite data on the stack or in other parts of the X > server memory.

>

x11r6.9.0-cidfonts.diff

>

CVE-2006-2006-3739 and CVE 2006-3740: It may be possible > for a user with the ability to set the X server font path, > by making it point to a malicious font, to cause arbitrary > code execution or denial of service on the X server.

>
> > > > ports/107733 > CVE-2006-3739 > CVE-2006-3740 > CVE-2006-6101 > CVE-2006-6102 > CVE-2006-6103 > http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html > > > 2007-01-09 > 2007-01-11 > > -- Eygene From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 08:43:24 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 991D316A47C; Tue, 16 Jan 2007 08:43:24 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id BB48313C474; Tue, 16 Jan 2007 08:43:23 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id CA663487F0; Tue, 16 Jan 2007 09:43:21 +0100 (CET) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 9F09445685; Tue, 16 Jan 2007 09:43:16 +0100 (CET) Date: Tue, 16 Jan 2007 09:42:43 +0100 From: Pawel Jakub Dawidek To: Bruce Evans Message-ID: <20070116084243.GA1117@garage.freebsd.pl> References: <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> <45AC2E9F.20901@freebsd.org> <45AC35A6.7090103@erdgeist.org> <20070116133259.N5056@delplex.bde.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline In-Reply-To: <20070116133259.N5056@delplex.bde.org> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org, Dirk Engling , Colin Percival Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 08:43:24 -0000 --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 16, 2007 at 02:42:17PM +1100, Bruce Evans wrote: > On Tue, 16 Jan 2007, Dirk Engling wrote: >=20 > >Colin Percival wrote: > > > >>No. `cp -f` unlinks the existing file and creates a new file, but will > >>still follow a symlink if one is created between the "unlink" syscall a= nd > >>the "open" syscall. > >... > >You are right. Atomically in binary is not atomical enough. > > > >mv in its rename()-form will do the job, so we need to create a file in > >. by mktemp and mv it to the real name when filled. >=20 > install -S already implements this, but not robustly enough to be secure. > It only creates the temporary file if the target doesn't already exists, > so it is subject to the usual races otherwise. 'S' stands for "safe" > (no-clobber), not secure, so this is reasonable. However, it can easily > be made both safer (actually no-clobber) and securer by opening the file > with O_EXCL and exiting if the file exists at the time of the open. > Perhaps cp -f should do the same. (Both have paths where they do a > forced unlink() followed by an open(). This open() can easily use O_EXCL= ). Interesting. I was sure it won't work as you described, because the target file can be a symlink and open(2) by default follows symlinks. I thought that you just forget about O_NOFOLLOW flag, but it seems, that with O_EXCL open(2) doesn't follow symlinks so it will work. > mv(1) can never be trusted to use its rename() form since it uses > copying to move across file systems and there is no way to control this. > mv(1)'s rewriting of "mv file dir" to "rename file dir/file" is also > a problem (I keep rename(1) handy to avoid it). I haven't followed > most of this thread so I don't know what the attacker can do here. > Changing the target to a symlink to a directory on a different file > system would exploit both of the problems in mv. That's true. Dirk's proposal is to create a file with mktemp(1) in the same directory where we're going to rename(2) the file, but I don't think mktemp(1) will be safe here: good-guy attacker-within-a-jail cd /jail/var/log mktemp foo.XXX rm -f foo.XXX ln -s /etc/spwd.db foo.XXX copy /path/to/jail_console.log foo.XXX mv -f foo.XXX console.log --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFrJADForvXbEpPzQRAoJJAJ4phBMyAMl1ZhWnj/3r3cNeWDnChQCgoWGx TxRmmvgdjgWsVF+VOosFaXU= =vPbG -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 10:44:03 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3F0FD16A407; Tue, 16 Jan 2007 10:44:03 +0000 (UTC) (envelope-from bde@zeta.org.au) Received: from mailout1.pacific.net.au (mailout1-3.pacific.net.au [61.8.2.210]) by mx1.freebsd.org (Postfix) with ESMTP id B705313C44B; Tue, 16 Jan 2007 10:44:02 +0000 (UTC) (envelope-from bde@zeta.org.au) Received: from mailproxy1.pacific.net.au (mailproxy1.pacific.net.au [61.8.2.162]) by mailout1.pacific.net.au (Postfix) with ESMTP id E66A95A0CE6; Tue, 16 Jan 2007 21:44:00 +1100 (EST) Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailproxy1.pacific.net.au (Postfix) with ESMTP id C56898C04; Tue, 16 Jan 2007 21:43:59 +1100 (EST) Date: Tue, 16 Jan 2007 21:43:58 +1100 (EST) From: Bruce Evans X-X-Sender: bde@delplex.bde.org To: Pawel Jakub Dawidek In-Reply-To: <20070116084243.GA1117@garage.freebsd.pl> Message-ID: <20070116211016.T6114@delplex.bde.org> References: <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> <45AC2E9F.20901@freebsd.org> <45AC35A6.7090103@erdgeist.org> <20070116133259.N5056@delplex.bde.org> <20070116084243.GA1117@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org, Dirk Engling , Colin Percival Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 10:44:03 -0000 On Tue, 16 Jan 2007, Pawel Jakub Dawidek wrote: > On Tue, Jan 16, 2007 at 02:42:17PM +1100, Bruce Evans wrote: >> install -S ... >> ... can easily >> be made both safer (actually no-clobber) and securer by opening the file >> with O_EXCL and exiting if the file exists at the time of the open. >> Perhaps cp -f should do the same. (Both have paths where they do a >> forced unlink() followed by an open(). This open() can easily use O_EXCL). > > Interesting. I was sure it won't work as you described, because the > target file can be a symlink and open(2) by default follows symlinks. > I thought that you just forget about O_NOFOLLOW flag, but it seems, that > with O_EXCL open(2) doesn't follow symlinks so it will work. I did forget it. I just assumed that doing the same thing as mkstemp() is as secure as possible, and it is. Old versions of mkstemp() couldn't use O_NOFOLLOW since O_NOFOLLOW has only existed since Y2K. New versions don't use it because it is unnecessary. Exclusive access isn't enough for security since if open() followed a dangling link it would create a security hole with (O_CREAT | O_EXCL). But there is no problem since O_EXCL implies not following symlinks even if O_NOFOLLOW is not supported. This is documented in open(2) and better documented in POSIX. Bruce From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 09:44:07 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1AFFD16A407; Tue, 16 Jan 2007 09:44:07 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id BD7EB13C442; Tue, 16 Jan 2007 09:44:06 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5EFD9.dip.t-dialin.net [84.165.239.217]) by redbull.bpaserver.net (Postfix) with ESMTP id 524482E1D5; Tue, 16 Jan 2007 10:51:26 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 5A0675B497E; Tue, 16 Jan 2007 10:43:58 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l0G9hvMq046509; Tue, 16 Jan 2007 10:43:57 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Tue, 16 Jan 2007 10:43:57 +0100 Message-ID: <20070116104357.jkztqfpta88wk48c@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 16 Jan 2007 10:43:57 +0100 From: Alexander Leidinger To: Pawel Jakub Dawidek References: <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> <45AC2E9F.20901@freebsd.org> <45AC35A6.7090103@erdgeist.org> <20070116133259.N5056@delplex.bde.org> <20070116084243.GA1117@garage.freebsd.pl> In-Reply-To: <20070116084243.GA1117@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.264, required 6, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, J_CHICKENPOX_33 0.60) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Tue, 16 Jan 2007 12:23:45 +0000 Cc: Dirk, freebsd-security@FreeBSD.org, Engling , Colin Percival Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 09:44:07 -0000 Quoting Pawel Jakub Dawidek (from Tue, 16 Jan 2007 =20 09:42:43 +0100): > =09good-guy=09=09=09=09attacker-within-a-jail > > =09cd /jail/var/log > =09mktemp foo.XXX > =09=09=09=09=09=09rm -f foo.XXX > =09=09=09=09=09=09ln -s /etc/spwd.db foo.XXX > =09copy /path/to/jail_console.log foo.XXX > =09mv -f foo.XXX console.log I did not have time to look at how the console part is handled. But =20 out of the blue I would assume the console.log is created before the =20 jail is started. Like: - check if console.log is a file which we are allowed to overwrite (no symlink pointing outside the jail) - bail out if it points outside the jail or prefix the jail base directory to the resulting path if it is a link - (echo "Starting $(date)"; start_jail) >>${console.log} The echo is there to make sure it exists and the subshell to make sure the file is not closed. This assumes the output is not more than line buffered (it isn't here on Solaris 10 with zsh). Why can't we do it like this? Bye, Alexander. --=20 " " =09=09-- Charlie Chaplin " " =09=09-- Harpo Marx " " =09=09-- Marcel Marceau http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 09:52:22 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C274916A415 for ; Tue, 16 Jan 2007 09:52:22 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 79A1313C441 for ; Tue, 16 Jan 2007 09:52:20 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5EFD9.dip.t-dialin.net [84.165.239.217]) by redbull.bpaserver.net (Postfix) with ESMTP id C8EC02E1D5; Tue, 16 Jan 2007 10:59:42 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id C0DB05B497E; Tue, 16 Jan 2007 10:52:14 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l0G9qEjZ047956; Tue, 16 Jan 2007 10:52:14 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Tue, 16 Jan 2007 10:52:14 +0100 Message-ID: <20070116105214.bi1b50nvz4oooc8o@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 16 Jan 2007 10:52:14 +0100 From: Alexander Leidinger To: Dirk Engling References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> In-Reply-To: <45ABDC7C.6060407@erdgeist.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.787, required 6, autolearn=not spam, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, TW_ZJ 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Tue, 16 Jan 2007 12:23:56 +0000 Cc: freebsd-security@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 09:52:22 -0000 Quoting Dirk Engling (from Mon, 15 Jan 2007 20:56:44 +0100): > To do the same with console.log (I _really_ like this feature and would > want it re-enabled asap) you can use something like: While talking about symlinks in jails: I'm hijacking this thread to point you to http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/107135 which is a patch for the ezjail port to handle links to packages in a sensible way. So far I didn't got a response from you. Bye, Alexander. -- THE BEATLES: Paul McCartney's old back-up band. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-security@FreeBSD.ORG Wed Jan 17 10:11:11 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0189816A40F; Wed, 17 Jan 2007 10:11:11 +0000 (UTC) (envelope-from frol@nerve.riss-telecom.ru) Received: from nerve.riss-telecom.ru (nerve.riss-telecom.ru [80.66.65.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4428F13C457; Wed, 17 Jan 2007 10:11:10 +0000 (UTC) (envelope-from frol@nerve.riss-telecom.ru) Received: from nerve.riss-telecom.ru (localhost [127.0.0.1]) by nerve.riss-telecom.ru (8.13.6/8.13.6) with ESMTP id l0H9vgkl008853; Wed, 17 Jan 2007 15:57:42 +0600 (NOVT) (envelope-from frol@nerve.riss-telecom.ru) Received: (from frol@localhost) by nerve.riss-telecom.ru (8.13.6/8.13.6/Submit) id l0H9vgtY008852; Wed, 17 Jan 2007 15:57:42 +0600 (NOVT) (envelope-from frol) Date: Wed, 17 Jan 2007 15:57:42 +0600 From: Dmitry Frolov To: Colin Percival Message-ID: <20070117095742.GW43331@nerve.riss-telecom.ru> Mail-Followup-To: Colin Percival , freebsd-security@freebsd.org, freebsd-stable@freebsd.org References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45A6DB76.40800@freebsd.org> Organization: RISS-Telecom, JSC X-PGP-Fingerprint: 5232 98E7 596E 21C2 52B5 FCAE 8088 3F87 88BC 27B0 User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jan 2007 10:11:11 -0000 * Colin Percival [12.01.2007 06:53]: > Hello Everyone, > > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after applying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. > > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail), make an assumption > about how systems are configured (filesystems which are mounted via per-jail > fstab files should not be mounted on symlinks -- if you do this, adjust your > fstab files to give the real, non-symlinked, path to the mount point), and > leave a potential security problem unfixed (if you mount any filesystems via > per-jail fstab files on mount points which are visible within multiple jails, > there are problems -- don't do this). > > While this is not ideal, this security issue was extraordinarily messy due to > the power and flexibility of the jails and the jail rc.d script. I can't > recall any other time when the security team has spent this long trying to > find a working patch for a security issue. I'd like to publicly thank Simon > Nielsen for the many many hours he spent working on this issue, as well as > the release engineering team for being very patient with us and delaying the > upcoming release to give us time to fix this. The other approach to write log file safely is to do it from the process running inside a jail. As an example, there is a ports/sysutils/jailer that does that (with small modification). Here are small patches that fix it to work on FBSD > 4 and allows it to write to log file instead of console: http://kaya.nov.net/frol/patches/jailer-1.1.2-fbsd5-console.diff http://kaya.nov.net/frol/patches/jailer-1.1.2-injail-sysctl.diff wbr&w, dmitry. -- Dmitry Frolov RISS-Telecom Network, Novosibirsk, Russia 66415911@ICQ, +7 383 2278800, DVF-RIPE From owner-freebsd-security@FreeBSD.ORG Fri Jan 19 23:12:29 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DE55116A405 for ; Fri, 19 Jan 2007 23:12:29 +0000 (UTC) (envelope-from randy@psg.com) Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by mx1.freebsd.org (Postfix) with ESMTP id C559213C442 for ; Fri, 19 Jan 2007 23:12:29 +0000 (UTC) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=roam.psg.com) by rip.psg.com with esmtp (Exim 4.66 (FreeBSD)) (envelope-from ) id 1H82uK-000L5V-Lf; Fri, 19 Jan 2007 23:12:28 +0000 Received: from localhost ([127.0.0.1] helo=roam.psg.com) by roam.psg.com with esmtp (Exim 4.66 (FreeBSD)) (envelope-from ) id 1H82uF-0006Dp-Uf; Fri, 19 Jan 2007 13:12:24 -1000 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17841.20566.970406.261386@roam.psg.com> Date: Fri, 19 Jan 2007 15:12:22 -0800 To: Bigby Findrake References: <17832.37104.392873.671721@roam.psg.com> <17833.9470.515735.802136@roam.psg.com> <20070119145118.W94270@home.ephemeron.org> Cc: freebsd-security@freebsd.org Subject: Re: Permission denied by op X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2007 23:12:29 -0000 >>> i am invoking op from a python proggy which does an op.system() of >>> op chmod 640 /usr/local/etc/tac_plus.conf >>> i get "Permission denied by op" >> btw, have tested with same invocation directly from /bin/sh. same >> result. i.e. it is not the python environment. >>> % ls -l /usr/local/etc/op.access >>> -r-------- 1 root wheel 149 Jan 13 07:41 /usr/local/etc/op.access >>> % cat /usr/local/etc/op.access >>> # 2007.01.13 >>> # >>> #DEFAULT users=src >>> # >>> chown /usr/sbin/chown $* ; users=src >>> chmod /bin/chmod $* ; users=src >>> rsync /usr/local/bin/rsync $* ; users=src >>> # >>> % id >>> uid=1007(src) gid=1006(srctree) groups=1006(srctree) >>> clue bat, please > Let me recap, and you correct me when I'm wrong: > * you're running as UID 1007. yes > * the file is owned by root. not exactly, the file i am trying to modify is owned by tacacs > * you're trying to chmod it and it's failing. it is failing rsync of the new copy owned by me over the copy owned by tacacs chown of the target file to tacacs chmod of the target file to 640 > Is that the situation so far? the situation now is that i ditched op and am using sudo randy From owner-freebsd-security@FreeBSD.ORG Fri Jan 19 23:13:02 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 645F616A400 for ; Fri, 19 Jan 2007 23:13:02 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.freebsd.org (Postfix) with ESMTP id 2BD9913C457 for ; Fri, 19 Jan 2007 23:13:02 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id l0JMtUoe068775; Fri, 19 Jan 2007 14:55:31 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.6/8.13.8) with ESMTP id l0JMtAFW010203; Fri, 19 Jan 2007 14:55:30 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.6/8.13.8/Submit) with ESMTP id l0JMt5qp010200; Fri, 19 Jan 2007 14:55:06 -0800 (PST) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Fri, 19 Jan 2007 14:55:05 -0800 (PST) From: Bigby Findrake To: Randy Bush In-Reply-To: <17833.9470.515735.802136@roam.psg.com> Message-ID: <20070119145118.W94270@home.ephemeron.org> References: <17832.37104.392873.671721@roam.psg.com> <17833.9470.515735.802136@roam.psg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (dsl.ephemeron.org [10.0.2.2]); Fri, 19 Jan 2007 14:55:31 -0800 (PST) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (home.ephemeron.org [127.0.0.1]); Fri, 19 Jan 2007 14:55:30 -0800 (PST) Cc: freebsd-security@freebsd.org Subject: Re: Permission denied by op X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2007 23:13:02 -0000 On Sat, 13 Jan 2007, Randy Bush wrote: >> i am invoking op from a python proggy which does an op.system() of >> op chmod 640 /usr/local/etc/tac_plus.conf >> i get "Permission denied by op" > > btw, have tested with same invocation directly from /bin/sh. same > result. i.e. it is not the python environment. > >> % ls -l /usr/local/etc/op.access >> -r-------- 1 root wheel 149 Jan 13 07:41 /usr/local/etc/op.access >> >> % cat /usr/local/etc/op.access >> # 2007.01.13 >> # >> #DEFAULT users=src >> # >> chown /usr/sbin/chown $* ; users=src >> chmod /bin/chmod $* ; users=src >> rsync /usr/local/bin/rsync $* ; users=src >> # >> >> % id >> uid=1007(src) gid=1006(srctree) groups=1006(srctree) >> >> clue bat, please Let me recap, and you correct me when I'm wrong: * you're running as UID 1007. * the file is owned by root. * you're trying to chmod it and it's failing. Is that the situation so far? -- Nearly all men can stand adversity, but if you want to test a man's character, give him power. -- Abraham Lincoln finger://bigby@home.ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 11:40:27 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6421816A400; Sat, 20 Jan 2007 11:40:27 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from postfix2-g20.free.fr (postfix2-g20.free.fr [212.27.60.43]) by mx1.freebsd.org (Postfix) with ESMTP id 832F413C47E; Sat, 20 Jan 2007 11:40:26 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29]) by postfix2-g20.free.fr (Postfix) with ESMTP id 6CA2094331A; Sat, 20 Jan 2007 11:17:29 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp3-g19.free.fr (Postfix) with ESMTP id 8C4B14A1FC; Sat, 20 Jan 2007 12:17:14 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 830589D41F; Sat, 20 Jan 2007 11:18:36 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 4B670405D; Sat, 20 Jan 2007 12:18:36 +0100 (CET) Date: Sat, 20 Jan 2007 12:18:36 +0100 From: Jeremie Le Hen To: Colin Percival Message-ID: <20070120111836.GF99833@obiwan.tataz.chchile.org> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45A6DB76.40800@freebsd.org> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 11:40:27 -0000 Hi Colin, On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote: > Hello Everyone, > > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after applying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. > > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail), make an assumption > about how systems are configured (filesystems which are mounted via per-jail > fstab files should not be mounted on symlinks -- if you do this, adjust your > fstab files to give the real, non-symlinked, path to the mount point), and > leave a potential security problem unfixed (if you mount any filesystems via > per-jail fstab files on mount points which are visible within multiple jails, > there are problems -- don't do this). > > While this is not ideal, this security issue was extraordinarily messy due to > the power and flexibility of the jails and the jail rc.d script. I can't > recall any other time when the security team has spent this long trying to > find a working patch for a security issue. I'd like to publicly thank Simon > Nielsen for the many many hours he spent working on this issue, as well as > the release engineering team for being very patient with us and delaying the > upcoming release to give us time to fix this. Thank you very much to Simon Nielsen for the work being accomplished. According to the patch itself, it is clear he should have spent much time to resolve this issue. However both Pawel and Dirk seem to have proposed less limitating solutions. I understand we are talking about security and we may not have much time experimenting every solutions on RELENG_6. Nonetheless CURRENT the one place to experiment such solutions with a larger audience and I would be very pleased to see a less restrictive workaround for this problem. Indeed I'm using the same setup as Pawel (/jail -> /usr/jail). Thank you for your work as a security officer. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 12:52:43 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F1FB716A400; Sat, 20 Jan 2007 12:52:42 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 6ED1013C45A; Sat, 20 Jan 2007 12:52:42 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id A6CC92D48C3; Sat, 20 Jan 2007 12:24:33 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 7F2371141E; Sat, 20 Jan 2007 13:24:33 +0100 (CET) Date: Sat, 20 Jan 2007 13:24:33 +0100 From: "Simon L. Nielsen" To: Pawel Jakub Dawidek Message-ID: <20070120122432.GA971@zaphod.nitro.dk> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070113112937.GI90718@garage.freebsd.pl> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 12:52:43 -0000 On 2007.01.13 12:29:37 +0100, Pawel Jakub Dawidek wrote: > On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote: > > Hello Everyone, > > > > I usually let security advisories speak for themselves, but I want to call > > special attention to this one: If you use jails, READ THE ADVISORY, in > > particular the "NOTE WELL" part below; and if you have problems after applying > > the security patch, LET US KNOW -- we do everything we can to make sure > > that security updates will never cause problems, but in this case we could > > not fix the all of the security issues without either making assumptions > > about how systems are configured or reducing functionality. > > > > In the end we opted to reduce functionality (the jail startup process is > > no longer logged to /var/log/console.log inside the jail), make an assumption > > about how systems are configured (filesystems which are mounted via per-jail > > fstab files should not be mounted on symlinks -- if you do this, adjust your > > fstab files to give the real, non-symlinked, path to the mount point), and > > leave a potential security problem unfixed (if you mount any filesystems via > > per-jail fstab files on mount points which are visible within multiple jails, > > there are problems -- don't do this). So, I have been putting off replying to this thread, but I guess it seems like I should reply... :-) > I don't like the way it was fixed. I do know it wasn't easy to fix. I don't like it either, but it was the best of bad solutions. My hope while developing the patch, and cursing computers in general :-), was that after the Security Advisory went out somebody would implement a fix which sucks less possibly by modifying some of the support tools. Your suggestion with modifying realpath to use chroot(2) certainly sounds like it could work, but I haven't thought about it in great detail if there are problems. The Security Team does not hold a lock on trying to improve the fix in src/etc/rc.d/jail, but anyone that does change the fix from the Security Advisory should be really really really really (did I mention "really"?) sure the fix is safe and have at least a few people with security clue review patches. It is very easy to get this wrong (my first patch did). Also, whatever fix is made should be in -CURRENT for a while (3 weeks min. IMO) before being MFC'ed, both because it gives more time for people to think about the fix and because -CURRENT isn't supported wrt. security issues, so if the fix is wrong we don't have to issue an advisory. BTW. with regard to the console.log file I really don't think it should be put back inside the jail unless it's possible to make the generation of the file entirely inside the jail since it's just not worth the risk/complexity. I think it should be possible to do this with jail(8) in -CURRENT (see -J flag), but: Note that it will probably be at least a couple of weeks before I feel like going anywhere near the jail rc.d script again (except for the warning comment I plan to add...), so don't wait for me with regard to improving this. And in case anyone were in doubt: Computers still suck :-). -- Simon L. Nielsen From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 13:03:56 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 80F8E16A400; Sat, 20 Jan 2007 13:03:56 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id E348B13C448; Sat, 20 Jan 2007 13:03:55 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id AC521456B1; Sat, 20 Jan 2007 14:03:54 +0100 (CET) Received: from localhost (154.81.datacomsa.pl [195.34.81.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 5E10E45684; Sat, 20 Jan 2007 14:03:49 +0100 (CET) Date: Sat, 20 Jan 2007 14:03:08 +0100 From: Pawel Jakub Dawidek To: "Simon L. Nielsen" Message-ID: <20070120130308.GD6697@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vni90+aGYgRvsTuO" Content-Disposition: inline In-Reply-To: <20070120122432.GA971@zaphod.nitro.dk> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 13:03:56 -0000 --vni90+aGYgRvsTuO Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 20, 2007 at 01:24:33PM +0100, Simon L. Nielsen wrote: [...] > BTW. with regard to the console.log file I really don't think it > should be put back inside the jail unless it's possible to make the > generation of the file entirely inside the jail since it's just not > worth the risk/complexity. I think it should be possible to do this > with jail(8) in -CURRENT (see -J flag), but: When -J operates on a file inside a jail, it create the same security hole as the one from security advisory, because it opens a file before calling jail(2). I fully agree that console.log should be outside a jail. At least noone proposed safe solution so far, which also means it's not an easy fix. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --vni90+aGYgRvsTuO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFshMMForvXbEpPzQRApA1AKDiMTyIcxDIvDZ4cmeKA4iGMlqdigCgu3QU pykGKIYasuv/tQgcOY1+hl4= =YXAz -----END PGP SIGNATURE----- --vni90+aGYgRvsTuO-- From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 13:54:03 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E43B116A402; Sat, 20 Jan 2007 13:54:03 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id EE3CD13C457; Sat, 20 Jan 2007 13:54:02 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 1236A2D4951; Sat, 20 Jan 2007 13:54:02 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 0C6941141E; Sat, 20 Jan 2007 14:54:02 +0100 (CET) Date: Sat, 20 Jan 2007 14:54:02 +0100 From: "Simon L. Nielsen" To: Pawel Jakub Dawidek Message-ID: <20070120135401.GB971@zaphod.nitro.dk> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070120130308.GD6697@garage.freebsd.pl> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 13:54:04 -0000 On 2007.01.20 14:03:08 +0100, Pawel Jakub Dawidek wrote: > On Sat, Jan 20, 2007 at 01:24:33PM +0100, Simon L. Nielsen wrote: > [...] > > BTW. with regard to the console.log file I really don't think it > > should be put back inside the jail unless it's possible to make the > > generation of the file entirely inside the jail since it's just not > > worth the risk/complexity. I think it should be possible to do this > > with jail(8) in -CURRENT (see -J flag), but: > > When -J operates on a file inside a jail, it create the same security > hole as the one from security advisory, because it opens a file before > calling jail(2). My thought with using -J was not place the info about jid in a file outside the jail root, basically (pseudo code): _tmpfile=`mktemp...` jail -J $_tmpfile "sh /etc/rc > /var/log/console.log" _jid=`cat $_tmpfile | something` At least that was what I thought might be possible with the -J switch when I noticed it existed. In any case, actually coding this, verifying that it works and is safe is left up to anyone who cares about having console.log inside the jail. -- Simon L. Nielsen From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 14:05:47 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4838F16A40A for ; Sat, 20 Jan 2007 14:05:47 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [80.237.196.4]) by mx1.freebsd.org (Postfix) with ESMTP id 35D5E13C45B for ; Sat, 20 Jan 2007 14:05:46 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: (qmail 40635 invoked by uid 0); 20 Jan 2007 14:05:11 -0000 Received: from e179007141.adsl.alicedsl.de (HELO ?10.1.1.102?) (erdgeist@erdgeist.org@85.179.7.141) by elektropost.org with AES256-SHA encrypted SMTP; 20 Jan 2007 14:05:11 -0000 Message-ID: <45B221B3.9090403@erdgeist.org> Date: Sat, 20 Jan 2007 15:05:39 +0100 From: Dirk Engling User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> In-Reply-To: <20070120130308.GD6697@garage.freebsd.pl> X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival , "Simon L. Nielsen" Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 14:05:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pawel Jakub Dawidek wrote: > When -J operates on a file inside a jail, it create the same security > hole as the one from security advisory, because it opens a file before > calling jail(2). > I fully agree that console.log should be outside a jail. At least noone > proposed safe solution so far, which also means it's not an easy fix. I still suggest using "pwd -P" to get the real path and using the shell's CWD as a lock. That works safely with mount(8) at least. Comments? erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFsiGzImmQdUyYEgkRAlKcAJ4izD1J4x6jDDfvrtr5J+bcmSxK/ACfRpwn x5yVH4uJIN7CWEgYtATKDE0= =sQq3 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 17:02:01 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5420816A480; Sat, 20 Jan 2007 17:02:01 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 5B0A213C468; Sat, 20 Jan 2007 17:02:00 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 727302D4A9E; Sat, 20 Jan 2007 17:01:59 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 63BB11141E; Sat, 20 Jan 2007 18:01:59 +0100 (CET) Date: Sat, 20 Jan 2007 18:01:59 +0100 From: "Simon L. Nielsen" To: Stefan Bethke Message-ID: <20070120170158.GC971@zaphod.nitro.dk> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <178C4510-6CD1-4F32-AA41-BDB6CF35E0C3@lassitu.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <178C4510-6CD1-4F32-AA41-BDB6CF35E0C3@lassitu.de> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org, Pawel Jakub Dawidek , Colin Percival , freebsd-stable@freebsd.org Subject: Re: Improving FreeBSD-SA-07:01.jail fix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 17:02:01 -0000 On 2007.01.20 17:52:32 +0100, Stefan Bethke wrote: > Am 20.01.2007 um 13:24 schrieb Simon L. Nielsen: > > >BTW. with regard to the console.log file I really don't think it > >should be put back inside the jail unless it's possible to make the > >generation of the file entirely inside the jail since it's just not > >worth the risk/complexity. > > I'm probably missing something, but why not replace: > _jail_id=$(head -1 ${_tmp_jail}) > tail +2 ${_tmp_jail} >${_rootdir}/var/log/console.log > with: > _jail_id=$(head -1 ${_tmp_jail}) > tail +2 ${_tmp_jail} | jexec ${_jail_id} sh -c "cat >/var/log/ > console.log" I thought of, and actually implemented, a similar solution when I worked on the problem but there are two problems: - You cannot be sure cat exists inside the jail. - The jail could already have exited again in which case jexec will fail. -- Simon L. Nielsen From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 17:31:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D9BF916A401; Sat, 20 Jan 2007 17:31:33 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from koef.zs64.net (koef.zs64.net [212.12.50.230]) by mx1.freebsd.org (Postfix) with ESMTP id 6A5B813C457; Sat, 20 Jan 2007 17:31:33 +0000 (UTC) (envelope-from stb@lassitu.de) Received: (from stb@koef.zs64.net) (authenticated) by koef.zs64.net (8.13.8/8.13.8) with ESMTP id l0KGqXcF075001 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 20 Jan 2007 17:52:34 +0100 (CET) (envelope-from stb@lassitu.de) In-Reply-To: <20070120122432.GA971@zaphod.nitro.dk> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <178C4510-6CD1-4F32-AA41-BDB6CF35E0C3@lassitu.de> Content-Transfer-Encoding: 7bit From: Stefan Bethke Date: Sat, 20 Jan 2007 17:52:32 +0100 To: "Simon L. Nielsen" X-Mailer: Apple Mail (2.752.2) Cc: freebsd-security@freebsd.org, Pawel Jakub Dawidek , Colin Percival , freebsd-stable@freebsd.org Subject: Re: Improving FreeBSD-SA-07:01.jail fix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 17:31:33 -0000 Am 20.01.2007 um 13:24 schrieb Simon L. Nielsen: > BTW. with regard to the console.log file I really don't think it > should be put back inside the jail unless it's possible to make the > generation of the file entirely inside the jail since it's just not > worth the risk/complexity. I'm probably missing something, but why not replace: _jail_id=$(head -1 ${_tmp_jail}) tail +2 ${_tmp_jail} >${_rootdir}/var/log/console.log with: _jail_id=$(head -1 ${_tmp_jail}) tail +2 ${_tmp_jail} | jexec ${_jail_id} sh -c "cat >/var/log/ console.log" Stefan -- Stefan Bethke Fon +49 170 346 0140 From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 22:58:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D34816A402 for ; Sat, 20 Jan 2007 22:58:33 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from linion.ion.lu (linion.ion.lu [80.90.47.168]) by mx1.freebsd.org (Postfix) with ESMTP id 625A313C455 for ; Sat, 20 Jan 2007 22:58:32 +0000 (UTC) (envelope-from steve@localhost.lu) Received: (qmail 17909 invoked by uid 89); 20 Jan 2007 23:59:23 +0100 Received: from localhost (HELO ?192.168.1.65?) (steve@localhost.lu@127.0.0.1) by linion.ion.lu with SMTP; 20 Jan 2007 23:59:23 +0100 Message-ID: <45B29E8F.3050507@localhost.lu> Date: Sat, 20 Jan 2007 23:58:23 +0100 From: Steve Clement User-Agent: Thunderbird 1.5.0.9 (X11/20061222) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ssh-add core dump out of the blue... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 22:58:33 -0000 Hi List, all of a sudden my ssh-add dumps. As always :) I haven't changed anything. In the beginning I thought my encrypted disk key was borked but I re-created a new key and I have the same phenomenon. http://steve.localhost.lu/ssh-add.core http://steve.localhost.lu/ktrace.out steve@laptop-steve ~ $ uname -a FreeBSD laptop-steve.localhost.lu 6.2-RC2 FreeBSD 6.2-RC2 #1: Sun Dec 24 19:31:12 CET 2006 root@laptop-steve.localhost.lu:/usr/obj/usr/src/sys/LAPTOP-STEVE i386 obviously the dump is my NON-FUNCTIONAL NO PASSPHRASE KEY!!! Do I need to provide any more info? cheers, Steve Clement -- __o | Steve Clement - Unix System Administrator _ \<,_ | Current Location: Luxembourgr/Europe (_)/ (_) | "Work to Eat, Eat to Live, Live to Bike, Bike to Work" _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" !DSPAM:45b27ee577576301416734!