Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Jan 2007 10:43:57 +0100
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        Pawel Jakub Dawidek <pjd@FreeBSD.org>
Cc:        Dirk, freebsd-security@FreeBSD.org, Engling <erdgeist@erdgeist.org>, Colin Percival <cperciva@FreeBSD.org>
Subject:   Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Message-ID:  <20070116104357.jkztqfpta88wk48c@webmail.leidinger.net>
In-Reply-To: <20070116084243.GA1117@garage.freebsd.pl>
References:  <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> <45AC2E9F.20901@freebsd.org> <45AC35A6.7090103@erdgeist.org> <20070116133259.N5056@delplex.bde.org> <20070116084243.GA1117@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
Quoting Pawel Jakub Dawidek <pjd@FreeBSD.org> (from Tue, 16 Jan 2007 =20
09:42:43 +0100):

> =09good-guy=09=09=09=09attacker-within-a-jail
>
> =09cd /jail/var/log
> =09mktemp foo.XXX
> =09=09=09=09=09=09rm -f foo.XXX
> =09=09=09=09=09=09ln -s /etc/spwd.db foo.XXX
> =09copy /path/to/jail_console.log foo.XXX
> =09mv -f foo.XXX console.log

I did not have time to look at how the console part is handled. But =20
out of the blue I would assume the console.log is created before the =20
jail is started. Like:
  - check if console.log is a file which we are allowed to
    overwrite (no symlink pointing outside the jail)
  - bail out if it points outside the jail or prefix the jail
    base directory to the resulting path if it is a link
  - (echo "Starting $(date)"; start_jail) >>${console.log}
    The echo is there to make sure it exists and the subshell
    to make sure the file is not closed. This assumes the output
    is not more than line buffered (it isn't here on Solaris 10
    with zsh).

Why can't we do it like this?

Bye,
Alexander.

--=20
" "
=09=09-- Charlie Chaplin

" "
=09=09-- Harpo Marx

" "
=09=09-- Marcel Marceau

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID =3D B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID =3D 72077137

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070116104357.jkztqfpta88wk48c>