Date: Mon, 15 Jan 2007 20:56:44 +0100 From: Dirk Engling <erdgeist@erdgeist.org> To: "Pawel Jakub Dawidek" <pjd@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail Message-ID: <45ABDC7C.6060407@erdgeist.org> In-Reply-To: <20070113112937.GI90718@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pawel Jakub Dawidek wrote:
> I'll keep /var/log/console.log outside a jail, because using
> 'realpath -c' will be dangerous once the jail is running. There could be
> a race where `realpath -c` returns one path, an attacker inside a jail
> changes one of resolved path's component and rc.d/jail from outside a
> jail tries to use it.
A simple way to prevent race conditions (here an example to mount devfs
into jails) is:
cd ${jail_root}
j_root=`pwd`
cd ${jail_dev_dir}
j_dev=`pwd`
eval evil_doer=\$\{j_dev#${j_root}\}
[ "$evil_doer" = "$j_dev" ] && exit
mount_devfs devfs .
To do the same with console.log (I _really_ like this feature and would
want it re-enabled asap) you can use something like:
cd ${jail_root}
j_root=`pwd`
cd ${jail_var_log_dir}
j_var_log=`pwd`
eval evil_doer=\$\{j_var_log#${j_root}\}
[ "$evil_doer" = "$j_var_log" ] && exit
cp -f ${temp_log} console.log
Regards
erdgeist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFFq9x8ImmQdUyYEgkRAhcjAJ9DYuE4Dfe7A+MexLZ7UgQOgUd12ACgjoxO
4SlRxdYlOXsAVDvfeSeu+e8=
=Xz64
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45ABDC7C.6060407>