From owner-freebsd-security@FreeBSD.ORG Thu Aug 18 22:41:31 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1ACC116A41F for ; Thu, 18 Aug 2005 22:41:31 +0000 (GMT) (envelope-from nielsen-list@memberwebs.com) Received: from mail.npubs.com (mail.zoneseven.net [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id E165143D49 for ; Thu, 18 Aug 2005 22:41:30 +0000 (GMT) (envelope-from nielsen-list@memberwebs.com) From: Nate Nielsen User-Agent: Mozilla Thunderbird 1.0.6-1.1.fc4 (X11/20050720) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Attila Nagy References: <43049FB2.1030203@fsn.hu> Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Message-Id: <20050818224438.2084D70DBC6@mail.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Thu, 18 Aug 2005 22:44:42 +0000 (GMT) Cc: freebsd-security@FreeBSD.org Subject: Re: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nielsen@memberwebs.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2005 22:41:31 -0000 Attila Nagy wrote: > Hello, > > I'm wondering about closing some information leaks in FreeBSD jails from > the "outside world". > > Not that critical (depends on the application), but a simple user, with > restricted devfs in the jail (devfsrules_jail for example from > /etc/defaults/devfs.rules) can figure out the following: > > - network interfaces related data, via ifconfig, which contains > everything, but the primary IP address of the interfaces. It seems that > alias IPs can be viewed: > bge0: flags=8843 mtu 1500 > options=1a > ether 00:12:79:3d:83:c2 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=8049 mtu 16384 > inet 127.0.0.2 netmask 0xff000000 For me this only shows the alias assigned to the jail. > - full dmesg output after boot and the kernel buffer when it overflows > (can contain sensitive information) Yes, this is important. Use: sysctl -w security.bsd.unprivileged_read_msgbuf=0 > - information about geom providers (at least geom mirror list works) > - the list of the loaded kernel modules via kldstat > - some interesting information about the network related stuff via netstat netstat works, but it limits itself to the jail pretty well. In particular 'netstat -r' and friends don't work. The normal 'netstat -a' only shows connections to the current jail. It does show the output from 'netstat -m' and those sort of things, but those say nothing over the network load of the current machine. > - information about configured swap space via swapinfo Not sure I see how this could be used against you. > - NFS related statistics via nfsstat Again only statistics. Not sure how this is a problem. > - a lot of interesting stuff via sysctl Yes, there's a lot there, but a lot *is* filtered out in a jail. > Are there any ways to close (some of) these? My suggestion would be to file bugs one by one for each piece of information that causes you concern along with the reasoning of why that information is dangerous or sensitive. The FreeBSD developers have been atentive to these things, and have added functionality in almost each release to minimize information available in a jail. So pointing specific issues out will probably get good results. Cheers, Nate