From owner-freebsd-security@FreeBSD.ORG Fri Jan 19 21:29:09 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D374C16A406 for ; Fri, 19 Jan 2007 21:29:09 +0000 (UTC) (envelope-from viswanadha_kamakshi@emc.com) Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by mx1.freebsd.org (Postfix) with ESMTP id 8F51613C45D for ; Fri, 19 Jan 2007 21:29:09 +0000 (UTC) (envelope-from viswanadha_kamakshi@emc.com) Received: from mailhub.lss.emc.com (nagas.lss.emc.com [10.254.144.11]) by mexforward.lss.emc.com (Switch-3.1.7/Switch-3.1.7) with ESMTP id l0JLFu6Z024139 for ; Fri, 19 Jan 2007 16:15:56 -0500 (EST) Received: from corpussmtp3.corp.emc.com (corpussmtp3.corp.emc.com [10.254.64.53]) by mailhub.lss.emc.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id l0JLFKUg019070 for ; Fri, 19 Jan 2007 16:15:56 -0500 (EST) From: viswanadha_kamakshi@emc.com Received: from CORPUSMX20A.corp.emc.com ([128.221.62.13]) by corpussmtp3.corp.emc.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 19 Jan 2007 16:14:24 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Fri, 19 Jan 2007 16:14:23 -0500 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPsec with Racoon2 Thread-Index: Acc8DssMJl3rqtaXQmmbEvHnpg+WEg== To: X-OriginalArrivalTime: 19 Jan 2007 21:14:24.0649 (UTC) FILETIME=[CB9AFF90:01C73C0E] X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.5.0.283055, Antispam-Data: 2007.1.19.125432 X-PerlMx-Spam: Gauge=, SPAM=2%, Reason='EMC_FROM_0+ -2, NO_REAL_NAME 0, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __IMS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0' X-Mailman-Approved-At: Mon, 22 Jan 2007 05:04:57 +0000 Subject: IPsec with Racoon2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2007 21:29:09 -0000 Hi ! Can Any one please send a working example of racoon2.conf for ikev2 Thanks in Advance. .....kamakshi. From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 14:24:41 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DCB8416A401; Sat, 20 Jan 2007 14:24:41 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 317F813C45D; Sat, 20 Jan 2007 14:24:41 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5DAA7.dip.t-dialin.net [84.165.218.167]) by redbull.bpaserver.net (Postfix) with ESMTP id B50E42E1AB; Sat, 20 Jan 2007 15:33:06 +0100 (CET) Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1]) by outgoing.leidinger.net (Postfix) with ESMTP id 9F4EF5B482A; Sat, 20 Jan 2007 15:24:23 +0100 (CET) Date: Sat, 20 Jan 2007 15:24:23 +0100 From: Alexander Leidinger To: Pawel Jakub Dawidek Message-ID: <20070120152423.3195b15b@Magellan.Leidinger.net> In-Reply-To: <20070120130308.GD6697@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> X-Mailer: Claws Mail 2.7.1 (GTK+ 2.10.8; i686-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.864, required 6, autolearn=not spam, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Mon, 22 Jan 2007 05:05:17 +0000 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival , "Simon L. Nielsen" Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 14:24:41 -0000 Quoting Pawel Jakub Dawidek (Sat, 20 Jan 2007 14:03:08 +0100): > I fully agree that console.log should be outside a jail. At least noone > proposed safe solution so far, which also means it's not an easy fix. What's unsafe about my proposal? I did had a look at the code now, and it should work (with minor mods). Original: ---snip--- _tmp_jail=${_tmp_dir}/jail.$$ eval jail ${_flags} -i ${_rootdir} ${_hostname} \ ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1 if [ "$?" -eq 0 ] ; then _jail_id=$(head -1 ${_tmp_jail}) i=1 while [ true ]; do eval out=\"\${_exec_afterstart${i}:-''}\" if [ -z "$out" ]; then break; fi jexec "${_jail_id}" ${out} i=$((i + 1)) done echo -n " $_hostname" tail +2 ${_tmp_jail} >${_consolelog} echo ${_jail_id} > /var/run/jail_${_jail}.id ---snip--- Pseudocode proposal, not tested (changes prefixed with 'x'): ---snip--- _tmp_jail=${_tmp_dir}/jail.$$ x # assuming safe _consolelog (inside chroot) according to the x # previous mails here in the thread x eval (echo "" ; \ x jail ${_flags} -I /var/run/jail_${_jail}.id \ x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \ x > ${_consolelog} 2>&1 if [ "$?" -eq 0 ] ; then x _jail_id=$(cat /var/run/jail_${_jail}.id) i=1 while [ true ]; do eval out=\"\${_exec_afterstart${i}:-''}\" if [ -z "$out" ]; then break; fi jexec "${_jail_id}" ${out} i=$((i + 1)) done echo -n " $_hostname" x x ---snip--- Repeating my points: - sanitize the consolelog path like discussed in this thread - the jail is not running, so nobody can create a link (jail root within FS space of another jail still prohibited) - subshell to group echo and jail - 'echo ""' to make sure the file exists when the jail starts - (new) additional flag to jail to write a jid file - redirect to the consolelog, it is still open from the echo when the jail starts so there's no race I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it is line buffered, so the above works. Where's the security problem in the above? Bye, Alexander. -- I wore my extra loose pants for nothing. Nothing! -- Homer Simpson New Kid on the Block http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-security@FreeBSD.ORG Mon Jan 22 21:28:49 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B19116A400 for ; Mon, 22 Jan 2007 21:28:49 +0000 (UTC) (envelope-from glewis@eyesbeyond.com) Received: from misty.eyesbeyond.com (gerbercreations.com [71.39.140.16]) by mx1.freebsd.org (Postfix) with ESMTP id EC6F113C4C6 for ; Mon, 22 Jan 2007 21:28:47 +0000 (UTC) (envelope-from glewis@eyesbeyond.com) Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1]) by misty.eyesbeyond.com (8.13.1/8.13.3) with ESMTP id l0ML58uq039756; Mon, 22 Jan 2007 13:05:08 -0800 (PST) (envelope-from glewis@eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.13.1/8.13.3/Submit) id l0ML50Rf039755; Mon, 22 Jan 2007 13:05:00 -0800 (PST) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Mon, 22 Jan 2007 13:05:00 -0800 From: Greg Lewis To: Martin Blapp Message-ID: <20070122210500.GA39718@misty.eyesbeyond.com> References: <20070117101649.A10329@godot.imp.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070117101649.A10329@godot.imp.ch> User-Agent: Mutt/1.4.2.2i Cc: freebsd-security@freebsd.org, freebsd-java@freebsd.org Subject: Re: Recent JDK vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2007 21:28:49 -0000 On Wed, Jan 17, 2007 at 10:18:42AM +0100, Martin Blapp wrote: > Hi all, > > I just read > > http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1 > > Will the freebsd fundation release new jdk binaries ? There are new binaries planned. They are built even. Just being held up by lack of testing time. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Tue Jan 23 11:35:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C752916A401; Tue, 23 Jan 2007 11:35:33 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id B716B13C44B; Tue, 23 Jan 2007 11:35:32 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 8D0A5487F3; Tue, 23 Jan 2007 12:35:30 +0100 (CET) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id D118B45683; Tue, 23 Jan 2007 12:35:23 +0100 (CET) Date: Tue, 23 Jan 2007 12:34:44 +0100 From: Pawel Jakub Dawidek To: Alexander Leidinger Message-ID: <20070123113444.GB11767@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> <20070120152423.3195b15b@Magellan.Leidinger.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BwCQnh7xodEAoBMC" Content-Disposition: inline In-Reply-To: <20070120152423.3195b15b@Magellan.Leidinger.net> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival , "Simon L. Nielsen" Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 11:35:34 -0000 --BwCQnh7xodEAoBMC Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote: > Quoting Pawel Jakub Dawidek (Sat, 20 Jan 2007 14:03:08 = +0100): >=20 > > I fully agree that console.log should be outside a jail. At least noone > > proposed safe solution so far, which also means it's not an easy fix. >=20 > What's unsafe about my proposal? I did had a look at the code now, and > it should work (with minor mods). >=20 > Original: > ---snip--- > _tmp_jail=3D${_tmp_dir}/jail.$$ > eval jail ${_flags} -i ${_rootdir} ${_hostname} \ > ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1 >=20 > if [ "$?" -eq 0 ] ; then > _jail_id=3D$(head -1 ${_tmp_jail}) > i=3D1 > while [ true ]; do > eval out=3D\"\${_exec_afterstart${i}:-''}= \" >=20 > if [ -z "$out" ]; then > break; > fi >=20 > jexec "${_jail_id}" ${out} > i=3D$((i + 1)) > done >=20 > echo -n " $_hostname" > tail +2 ${_tmp_jail} >${_consolelog} > echo ${_jail_id} > /var/run/jail_${_jail}.id > ---snip--- >=20 > Pseudocode proposal, not tested (changes prefixed with 'x'): > ---snip--- > _tmp_jail=3D${_tmp_dir}/jail.$$ > x # assuming safe _consolelog (inside chroot) according > to the > x # previous mails here in the thread > x eval (echo "" ; \ > x jail ${_flags} -I /var/run/jail_${_jail}.id \ > x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \ > x > ${_consolelog} 2>&1 >=20 > if [ "$?" -eq 0 ] ; then > x _jail_id=3D$(cat /var/run/jail_${_jail}.id) > i=3D1 > while [ true ]; do > eval out=3D\"\${_exec_afterstart${i}:-''}= \" >=20 > if [ -z "$out" ]; then > break; > fi >=20 > jexec "${_jail_id}" ${out} > i=3D$((i + 1)) > done >=20 > echo -n " $_hostname" > x > x > ---snip--- >=20 > Repeating my points: > - sanitize the consolelog path like discussed in this thread > - the jail is not running, so nobody can create a link (jail > root within FS space of another jail still prohibited) > - subshell to group echo and jail > - 'echo ""' to make sure the file exists when the jail starts > - (new) additional flag to jail to write a jid file > - redirect to the consolelog, it is still open from the echo > when the jail starts so there's no race >=20 > I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it > is line buffered, so the above works. >=20 > Where's the security problem in the above? It looks like it may work, but I still find it a bit risky. If sh(1) can reopen the file under some conditions or someone in the future will modify sh(1) in that way (because he won't be aware that such a change may have impact on system security) we will have a security hole. Chances are small, but I'm not going to be the one who will accept that change:) --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --BwCQnh7xodEAoBMC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFtfLUForvXbEpPzQRAoo1AJ9Q/u5YAPeHsQiOUBCEEOR8BzKuoACbBnQH g1ixkeanvC5aURwI48b/TW4= =TDkY -----END PGP SIGNATURE----- --BwCQnh7xodEAoBMC-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 23 12:25:20 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9F40216A400; Tue, 23 Jan 2007 12:25:20 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id E003413C4E7; Tue, 23 Jan 2007 12:25:19 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5DA15.dip.t-dialin.net [84.165.218.21]) by redbull.bpaserver.net (Postfix) with ESMTP id 202692E1B0; Tue, 23 Jan 2007 13:34:26 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 8A1395B4C0E; Tue, 23 Jan 2007 13:25:08 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l0NCP8j1007485; Tue, 23 Jan 2007 13:25:08 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from psbru.cec.eu.int (psbru.cec.eu.int [158.169.131.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Tue, 23 Jan 2007 13:25:08 +0100 Message-ID: <20070123132508.oy4elyx7kkogokkg@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 23 Jan 2007 13:25:08 +0100 From: Alexander Leidinger To: Pawel Jakub Dawidek References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> <20070120152423.3195b15b@Magellan.Leidinger.net> <20070123113444.GB11767@garage.freebsd.pl> In-Reply-To: <20070123113444.GB11767@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.864, required 6, autolearn=not spam, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Tue, 23 Jan 2007 12:40:15 +0000 Cc: freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org, Colin Percival , "Simon L. Nielsen" Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 12:25:20 -0000 Quoting Pawel Jakub Dawidek (from Tue, 23 Jan 2007 =20 12:34:44 +0100): > On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote: >> Quoting Pawel Jakub Dawidek (Sat, 20 Jan 2007 =20 >> 14:03:08 +0100): >> >> > I fully agree that console.log should be outside a jail. At least noone >> > proposed safe solution so far, which also means it's not an easy fix. >> >> What's unsafe about my proposal? I did had a look at the code now, and >> it should work (with minor mods). >> >> Original: >> ---snip--- >> _tmp_jail=3D${_tmp_dir}/jail.$$ >> eval jail ${_flags} -i ${_rootdir} ${_hostname} \ >> ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1 >> >> if [ "$?" -eq 0 ] ; then >> _jail_id=3D$(head -1 ${_tmp_jail}) >> i=3D1 >> while [ true ]; do >> eval out=3D\"\${_exec_afterstart${i}:-''}= \" >> >> if [ -z "$out" ]; then >> break; >> fi >> >> jexec "${_jail_id}" ${out} >> i=3D$((i + 1)) >> done >> >> echo -n " $_hostname" >> tail +2 ${_tmp_jail} >${_consolelog} >> echo ${_jail_id} > /var/run/jail_${_jail}.id >> ---snip--- >> >> Pseudocode proposal, not tested (changes prefixed with 'x'): >> ---snip--- >> _tmp_jail=3D${_tmp_dir}/jail.$$ >> x # assuming safe _consolelog (inside chroot) according >> to the >> x # previous mails here in the thread >> x=09=09eval (echo "" ; \ >> x jail ${_flags} -I /var/run/jail_${_jail}.id \ >> x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \ >> x > ${_consolelog} 2>&1 >> >> if [ "$?" -eq 0 ] ; then >> x _jail_id=3D$(cat /var/run/jail_${_jail}.id) >> i=3D1 >> while [ true ]; do >> eval out=3D\"\${_exec_afterstart${i}:-''}= \" >> >> if [ -z "$out" ]; then >> break; >> fi >> >> jexec "${_jail_id}" ${out} >> i=3D$((i + 1)) >> done >> >> echo -n " $_hostname" >> x >> x >> ---snip--- >> >> Repeating my points: >> - sanitize the consolelog path like discussed in this thread >> - the jail is not running, so nobody can create a link (jail >> root within FS space of another jail still prohibited) >> - subshell to group echo and jail >> - 'echo ""' to make sure the file exists when the jail starts >> - (new) additional flag to jail to write a jid file >> - redirect to the consolelog, it is still open from the echo >> when the jail starts so there's no race >> >> I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it >> is line buffered, so the above works. >> >> Where's the security problem in the above? > > It looks like it may work, but I still find it a bit risky. If sh(1) can > reopen the file under some conditions or someone in the future will > modify sh(1) in that way (because he won't be aware that such a change > may have impact on system security) we will have a security hole. > Chances are small, but I'm not going to be the one who will accept that > change:) The spawned subshell is like a command. It doesn't make sense to =20 reopen the file for a command. It's like saying we open and close the =20 file for each line. I didn't calculated the probability of this to =20 happen, but I would be very surprised if it is significant. Just think =20 about the performance of such behavior (or a more complex logic which =20 open()/close()es in a more complex way). And if you think about such =20 unlikely stuff to happen, you should also think about some other stuff =20 we are not prepared to survive. But feel free to propose a better =20 solution for the problem. Bye, Alexander. --=20 In Newark the laundromats are open 24 hours a day! http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-security@FreeBSD.ORG Tue Jan 23 12:43:39 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2EB1416A402; Tue, 23 Jan 2007 12:43:39 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 45A0B13C4A7; Tue, 23 Jan 2007 12:43:38 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id C7A9B487FF; Tue, 23 Jan 2007 13:43:35 +0100 (CET) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 5F41A45684; Tue, 23 Jan 2007 13:43:27 +0100 (CET) Date: Tue, 23 Jan 2007 13:42:48 +0100 From: Pawel Jakub Dawidek To: Alexander Leidinger Message-ID: <20070123124247.GC11767@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> <20070120152423.3195b15b@Magellan.Leidinger.net> <20070123113444.GB11767@garage.freebsd.pl> <20070123132508.oy4elyx7kkogokkg@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZwgA9U+XZDXt4+m+" Content-Disposition: inline In-Reply-To: <20070123132508.oy4elyx7kkogokkg@webmail.leidinger.net> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org, Colin Percival , "Simon L. Nielsen" Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 12:43:39 -0000 --ZwgA9U+XZDXt4+m+ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 23, 2007 at 01:25:08PM +0100, Alexander Leidinger wrote: > Quoting Pawel Jakub Dawidek (from Tue, 23 Jan 2007 12:3= 4:44 +0100): > >It looks like it may work, but I still find it a bit risky. If sh(1) can > >reopen the file under some conditions or someone in the future will > >modify sh(1) in that way (because he won't be aware that such a change > >may have impact on system security) we will have a security hole. > >Chances are small, but I'm not going to be the one who will accept that > >change:) >=20 > The spawned subshell is like a command. It doesn't make sense to reopen t= he file for a command. It's like saying we open and close the file for each= line. I didn't=20 > calculated the probability of this to happen, but I would be very surpris= ed if it is significant. Just think about the performance of such behavior = (or a more complex logic=20 > [...] And if you think about such unlikely stuff to happen, you should al= so think about some other stuff we are not prepared to=20 > survive. [...] Come on, this argument always stands. I only wanted to point out that we should be extra careful with building security on top of tools that are not intended for this purpose. > [...] But feel free to propose a better solution for the problem. The solution was proposed already - keep console.log outside of jail. Don't read my comment as a "no" vote for your solution. If secteam@ decide there is nothing to be worry about - fine by me. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --ZwgA9U+XZDXt4+m+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFtgLHForvXbEpPzQRAnjAAJ9ueKbsFjJFL0MTvyM7I7zDpXo3PgCeJY9t /DVf7IrfkNtREpzBhkLsXEY= =ndf4 -----END PGP SIGNATURE----- --ZwgA9U+XZDXt4+m+--