From owner-freebsd-security@FreeBSD.ORG  Mon Jan 15 20:23:24 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 467DC16A416
	for <freebsd-security@freebsd.org>;
	Mon, 15 Jan 2007 20:23:24 +0000 (UTC)
	(envelope-from erdgeist@erdgeist.org)
Received: from elektropost.org (elektropost.org [80.237.196.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 9371713C461
	for <freebsd-security@freebsd.org>;
	Mon, 15 Jan 2007 20:23:23 +0000 (UTC)
	(envelope-from erdgeist@erdgeist.org)
Received: (qmail 83512 invoked by uid 0); 15 Jan 2007 19:56:13 -0000
Received: from fuckup.club.berlin.ccc.de (HELO ?23.23.23.91?)
	(erdgeist@erdgeist.org@195.160.172.2)
	by elektropost.org with AES256-SHA encrypted SMTP;
	15 Jan 2007 19:56:13 -0000
Message-ID: <45ABDC7C.6060407@erdgeist.org>
Date: Mon, 15 Jan 2007 20:56:44 +0100
From: Dirk Engling <erdgeist@erdgeist.org>
User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207)
MIME-Version: 1.0
To: "Pawel Jakub Dawidek" <pjd@FreeBSD.org>
References: <200701111841.l0BIfWOn015231@freefall.freebsd.org>	<45A6DB76.40800@freebsd.org>
	<20070113112937.GI90718@garage.freebsd.pl>
In-Reply-To: <20070113112937.GI90718@garage.freebsd.pl>
X-Enigmail-Version: 0.94.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org
Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2007 20:23:24 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pawel Jakub Dawidek wrote:

> I'll keep /var/log/console.log outside a jail, because using
> 'realpath -c' will be dangerous once the jail is running. There could be
> a race where `realpath -c` returns one path, an attacker inside a jail
> changes one of resolved path's component and rc.d/jail from outside a
> jail tries to use it.

A simple way to prevent race conditions (here an example to mount devfs
into jails) is:

cd ${jail_root}
j_root=`pwd`
cd ${jail_dev_dir}
j_dev=`pwd`
eval evil_doer=\$\{j_dev#${j_root}\}
[ "$evil_doer" = "$j_dev" ] && exit
mount_devfs devfs .

To do the same with console.log (I _really_ like this feature and would
want it re-enabled asap) you can use something like:

cd ${jail_root}
j_root=`pwd`
cd ${jail_var_log_dir}
j_var_log=`pwd`
eval evil_doer=\$\{j_var_log#${j_root}\}
[ "$evil_doer" = "$j_var_log" ] && exit
cp -f ${temp_log} console.log

Regards

  erdgeist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFq9x8ImmQdUyYEgkRAhcjAJ9DYuE4Dfe7A+MexLZ7UgQOgUd12ACgjoxO
4SlRxdYlOXsAVDvfeSeu+e8=
=Xz64
-----END PGP SIGNATURE-----