From owner-freebsd-security@FreeBSD.ORG Tue Jan 23 11:35:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C752916A401; Tue, 23 Jan 2007 11:35:33 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id B716B13C44B; Tue, 23 Jan 2007 11:35:32 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 8D0A5487F3; Tue, 23 Jan 2007 12:35:30 +0100 (CET) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id D118B45683; Tue, 23 Jan 2007 12:35:23 +0100 (CET) Date: Tue, 23 Jan 2007 12:34:44 +0100 From: Pawel Jakub Dawidek To: Alexander Leidinger Message-ID: <20070123113444.GB11767@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> <20070120152423.3195b15b@Magellan.Leidinger.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BwCQnh7xodEAoBMC" Content-Disposition: inline In-Reply-To: <20070120152423.3195b15b@Magellan.Leidinger.net> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival , "Simon L. Nielsen" Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 11:35:34 -0000 --BwCQnh7xodEAoBMC Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote: > Quoting Pawel Jakub Dawidek (Sat, 20 Jan 2007 14:03:08 = +0100): >=20 > > I fully agree that console.log should be outside a jail. At least noone > > proposed safe solution so far, which also means it's not an easy fix. >=20 > What's unsafe about my proposal? I did had a look at the code now, and > it should work (with minor mods). >=20 > Original: > ---snip--- > _tmp_jail=3D${_tmp_dir}/jail.$$ > eval jail ${_flags} -i ${_rootdir} ${_hostname} \ > ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1 >=20 > if [ "$?" -eq 0 ] ; then > _jail_id=3D$(head -1 ${_tmp_jail}) > i=3D1 > while [ true ]; do > eval out=3D\"\${_exec_afterstart${i}:-''}= \" >=20 > if [ -z "$out" ]; then > break; > fi >=20 > jexec "${_jail_id}" ${out} > i=3D$((i + 1)) > done >=20 > echo -n " $_hostname" > tail +2 ${_tmp_jail} >${_consolelog} > echo ${_jail_id} > /var/run/jail_${_jail}.id > ---snip--- >=20 > Pseudocode proposal, not tested (changes prefixed with 'x'): > ---snip--- > _tmp_jail=3D${_tmp_dir}/jail.$$ > x # assuming safe _consolelog (inside chroot) according > to the > x # previous mails here in the thread > x eval (echo "" ; \ > x jail ${_flags} -I /var/run/jail_${_jail}.id \ > x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \ > x > ${_consolelog} 2>&1 >=20 > if [ "$?" -eq 0 ] ; then > x _jail_id=3D$(cat /var/run/jail_${_jail}.id) > i=3D1 > while [ true ]; do > eval out=3D\"\${_exec_afterstart${i}:-''}= \" >=20 > if [ -z "$out" ]; then > break; > fi >=20 > jexec "${_jail_id}" ${out} > i=3D$((i + 1)) > done >=20 > echo -n " $_hostname" > x > x > ---snip--- >=20 > Repeating my points: > - sanitize the consolelog path like discussed in this thread > - the jail is not running, so nobody can create a link (jail > root within FS space of another jail still prohibited) > - subshell to group echo and jail > - 'echo ""' to make sure the file exists when the jail starts > - (new) additional flag to jail to write a jid file > - redirect to the consolelog, it is still open from the echo > when the jail starts so there's no race >=20 > I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it > is line buffered, so the above works. >=20 > Where's the security problem in the above? It looks like it may work, but I still find it a bit risky. If sh(1) can reopen the file under some conditions or someone in the future will modify sh(1) in that way (because he won't be aware that such a change may have impact on system security) we will have a security hole. Chances are small, but I'm not going to be the one who will accept that change:) --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --BwCQnh7xodEAoBMC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFtfLUForvXbEpPzQRAoo1AJ9Q/u5YAPeHsQiOUBCEEOR8BzKuoACbBnQH g1ixkeanvC5aURwI48b/TW4= =TDkY -----END PGP SIGNATURE----- --BwCQnh7xodEAoBMC--