From owner-freebsd-security@FreeBSD.ORG  Sat Jan 20 14:05:47 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4838F16A40A
	for <freebsd-security@freebsd.org>;
	Sat, 20 Jan 2007 14:05:47 +0000 (UTC)
	(envelope-from erdgeist@erdgeist.org)
Received: from elektropost.org (elektropost.org [80.237.196.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 35D5E13C45B
	for <freebsd-security@freebsd.org>;
	Sat, 20 Jan 2007 14:05:46 +0000 (UTC)
	(envelope-from erdgeist@erdgeist.org)
Received: (qmail 40635 invoked by uid 0); 20 Jan 2007 14:05:11 -0000
Received: from e179007141.adsl.alicedsl.de (HELO ?10.1.1.102?)
	(erdgeist@erdgeist.org@85.179.7.141)
	by elektropost.org with AES256-SHA encrypted SMTP;
	20 Jan 2007 14:05:11 -0000
Message-ID: <45B221B3.9090403@erdgeist.org>
Date: Sat, 20 Jan 2007 15:05:39 +0100
From: Dirk Engling <erdgeist@erdgeist.org>
User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207)
MIME-Version: 1.0
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <200701111841.l0BIfWOn015231@freefall.freebsd.org>	<45A6DB76.40800@freebsd.org>	<20070113112937.GI90718@garage.freebsd.pl>	<20070120122432.GA971@zaphod.nitro.dk>
	<20070120130308.GD6697@garage.freebsd.pl>
In-Reply-To: <20070120130308.GD6697@garage.freebsd.pl>
X-Enigmail-Version: 0.94.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org,
	Colin Percival <cperciva@freebsd.org>,
	"Simon L. Nielsen" <simon@FreeBSD.org>
Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD
 Security Advisory FreeBSD-SA-07:01.jail]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jan 2007 14:05:47 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pawel Jakub Dawidek wrote:

> When -J operates on a file inside a jail, it create the same security
> hole as the one from security advisory, because it opens a file before
> calling jail(2).
> I fully agree that console.log should be outside a jail. At least noone
> proposed safe solution so far, which also means it's not an easy fix.

I still suggest using "pwd -P" to get the real path and using the
shell's CWD as a lock. That works safely with mount(8) at least.

Comments?

  erdgeist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFsiGzImmQdUyYEgkRAlKcAJ4izD1J4x6jDDfvrtr5J+bcmSxK/ACfRpwn
x5yVH4uJIN7CWEgYtATKDE0=
=sQq3
-----END PGP SIGNATURE-----