From owner-freebsd-security@FreeBSD.ORG  Mon Jan 15 21:15:37 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8365B16A4F8
	for <freebsd-security@freebsd.org>;
	Mon, 15 Jan 2007 21:15:37 +0000 (UTC)
	(envelope-from erdgeist@erdgeist.org)
Received: from elektropost.org (elektropost.org [80.237.196.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 49E1513C4DB
	for <freebsd-security@freebsd.org>;
	Mon, 15 Jan 2007 21:15:30 +0000 (UTC)
	(envelope-from erdgeist@erdgeist.org)
Received: (qmail 13948 invoked by uid 0); 15 Jan 2007 21:14:57 -0000
Received: from fuckup.club.berlin.ccc.de (HELO ?23.23.23.91?)
	(erdgeist@erdgeist.org@195.160.172.2)
	by elektropost.org with AES256-SHA encrypted SMTP;
	15 Jan 2007 21:14:57 -0000
Message-ID: <45ABEEEE.4030609@erdgeist.org>
Date: Mon, 15 Jan 2007 22:15:26 +0100
From: Dirk Engling <erdgeist@erdgeist.org>
User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207)
MIME-Version: 1.0
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <200701111841.l0BIfWOn015231@freefall.freebsd.org>
	<45A6DB76.40800@freebsd.org>
	<20070113112937.GI90718@garage.freebsd.pl>
	<45ABDC7C.6060407@erdgeist.org>
	<20070115210826.GA2839@garage.freebsd.pl>
In-Reply-To: <20070115210826.GA2839@garage.freebsd.pl>
X-Enigmail-Version: 0.94.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org
Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2007 21:15:37 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pawel Jakub Dawidek wrote:

> In other words, it may break existing configurations.

Sorry, I meant "pwd -P" and assumed that, according to pwds man page, to
be default.

>> cd ${jail_root}
>> j_root=`pwd`
>> cd ${jail_var_log_dir}
>> j_var_log=`pwd`
>> eval evil_doer=\$\{j_var_log#${j_root}\}
>> [ "$evil_doer" = "$j_var_log" ] && exit
> 
> --> Race <--
> 
>> cp -f ${temp_log} console.log

No, since that directory is your cwd, you operate on ./ which wont
change by setting soft links along the path. You won't even be able to
remove that directory in the first place since the directories vnode is
locked.

Regards

  erdgeist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFq+7tImmQdUyYEgkRAiJ2AJoCdbM8rPn8F/8atVBRzwGcJOZhHQCeO6Hi
ILSZnZ7jgsUhOiZi3M6fkDo=
=0IXe
-----END PGP SIGNATURE-----