From owner-freebsd-security@FreeBSD.ORG Tue Jan 23 12:25:20 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9F40216A400; Tue, 23 Jan 2007 12:25:20 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id E003413C4E7; Tue, 23 Jan 2007 12:25:19 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5DA15.dip.t-dialin.net [84.165.218.21]) by redbull.bpaserver.net (Postfix) with ESMTP id 202692E1B0; Tue, 23 Jan 2007 13:34:26 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 8A1395B4C0E; Tue, 23 Jan 2007 13:25:08 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l0NCP8j1007485; Tue, 23 Jan 2007 13:25:08 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from psbru.cec.eu.int (psbru.cec.eu.int [158.169.131.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Tue, 23 Jan 2007 13:25:08 +0100 Message-ID: <20070123132508.oy4elyx7kkogokkg@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 23 Jan 2007 13:25:08 +0100 From: Alexander Leidinger To: Pawel Jakub Dawidek References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> <20070120152423.3195b15b@Magellan.Leidinger.net> <20070123113444.GB11767@garage.freebsd.pl> In-Reply-To: <20070123113444.GB11767@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.864, required 6, autolearn=not spam, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Tue, 23 Jan 2007 12:40:15 +0000 Cc: freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org, Colin Percival , "Simon L. Nielsen" Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 12:25:20 -0000 Quoting Pawel Jakub Dawidek (from Tue, 23 Jan 2007 =20 12:34:44 +0100): > On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote: >> Quoting Pawel Jakub Dawidek (Sat, 20 Jan 2007 =20 >> 14:03:08 +0100): >> >> > I fully agree that console.log should be outside a jail. At least noone >> > proposed safe solution so far, which also means it's not an easy fix. >> >> What's unsafe about my proposal? I did had a look at the code now, and >> it should work (with minor mods). >> >> Original: >> ---snip--- >> _tmp_jail=3D${_tmp_dir}/jail.$$ >> eval jail ${_flags} -i ${_rootdir} ${_hostname} \ >> ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1 >> >> if [ "$?" -eq 0 ] ; then >> _jail_id=3D$(head -1 ${_tmp_jail}) >> i=3D1 >> while [ true ]; do >> eval out=3D\"\${_exec_afterstart${i}:-''}= \" >> >> if [ -z "$out" ]; then >> break; >> fi >> >> jexec "${_jail_id}" ${out} >> i=3D$((i + 1)) >> done >> >> echo -n " $_hostname" >> tail +2 ${_tmp_jail} >${_consolelog} >> echo ${_jail_id} > /var/run/jail_${_jail}.id >> ---snip--- >> >> Pseudocode proposal, not tested (changes prefixed with 'x'): >> ---snip--- >> _tmp_jail=3D${_tmp_dir}/jail.$$ >> x # assuming safe _consolelog (inside chroot) according >> to the >> x # previous mails here in the thread >> x=09=09eval (echo "" ; \ >> x jail ${_flags} -I /var/run/jail_${_jail}.id \ >> x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \ >> x > ${_consolelog} 2>&1 >> >> if [ "$?" -eq 0 ] ; then >> x _jail_id=3D$(cat /var/run/jail_${_jail}.id) >> i=3D1 >> while [ true ]; do >> eval out=3D\"\${_exec_afterstart${i}:-''}= \" >> >> if [ -z "$out" ]; then >> break; >> fi >> >> jexec "${_jail_id}" ${out} >> i=3D$((i + 1)) >> done >> >> echo -n " $_hostname" >> x >> x >> ---snip--- >> >> Repeating my points: >> - sanitize the consolelog path like discussed in this thread >> - the jail is not running, so nobody can create a link (jail >> root within FS space of another jail still prohibited) >> - subshell to group echo and jail >> - 'echo ""' to make sure the file exists when the jail starts >> - (new) additional flag to jail to write a jid file >> - redirect to the consolelog, it is still open from the echo >> when the jail starts so there's no race >> >> I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it >> is line buffered, so the above works. >> >> Where's the security problem in the above? > > It looks like it may work, but I still find it a bit risky. If sh(1) can > reopen the file under some conditions or someone in the future will > modify sh(1) in that way (because he won't be aware that such a change > may have impact on system security) we will have a security hole. > Chances are small, but I'm not going to be the one who will accept that > change:) The spawned subshell is like a command. It doesn't make sense to =20 reopen the file for a command. It's like saying we open and close the =20 file for each line. I didn't calculated the probability of this to =20 happen, but I would be very surprised if it is significant. Just think =20 about the performance of such behavior (or a more complex logic which =20 open()/close()es in a more complex way). And if you think about such =20 unlikely stuff to happen, you should also think about some other stuff =20 we are not prepared to survive. But feel free to propose a better =20 solution for the problem. Bye, Alexander. --=20 In Newark the laundromats are open 24 hours a day! http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137