Date: Sun, 05 Jun 2016 13:19:00 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 210049] jails & the default lo0 127.0.0.1 loopback interface Message-ID: <bug-210049-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D210049 Bug ID: 210049 Summary: jails & the default lo0 127.0.0.1 loopback interface Product: Base System Version: 10.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: qjail1@a1poweruser.com The undocumented behavior of non-vimage jails populated with an port or pkg that defaults to communicating over the lo0 127.0.0.1 loopback interface is= to simply map it over with the jails defined primary IP address. This default = jail behavior exposes that port/pkg to all the traffic entering the jail over its primary IP address whether from the LAN or public network. This is a securi= ty issue.=20 This is not the behavior of 127.0.0.1 as defined in [RFC1700, page 5] which states "127.0.0.0/8 - This block is assigned for use as the Internet host= =20=20 loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host." In a jails c= ase the word "host" would also mean "jail". The administrators of such jails have to manually activate loopback by addi= ng lo0:127.0.0.x to the jails ip4_addr parameter value alone with the jails primary IP address. Then manually change the conf file of all the applicati= ons running in that jail to use that lo0 127.0.0.x IP address. Or an alternate = is to add a statement to the hosts rc.conf to clone the lo0 interface and them code as above. This means each jail has a unique loopback ip address.=20 This manual work around is not documented and should not be necessary. The non-vimage jail should just handle loopback localhost by default. The kernel lo0 interface needs to be made jail aware. This issue has been recently discussed with James Gritton jamie@freebsd.org= and he agrees its time to address this long outstanding security issue. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-210049-8>