Date: Sun, 13 Jul 2014 04:55:04 +0200 From: Mateusz Guzik <mjguzik@gmail.com> To: Warren Block <wblock@wonkity.com> Cc: freebsd-jail@FreeBSD.org Subject: Re: mergemaster and better support for ezjails Message-ID: <20140713025504.GB16884@dft-labs.eu> In-Reply-To: <alpine.BSF.2.11.1407121753240.50320@wonkity.com> References: <alpine.BSF.2.11.1407121753240.50320@wonkity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 12, 2014 at 08:08:52PM -0600, Warren Block wrote: > A couple of patches to make mergemaster work better with ezjails. > > These are only very superficially tested. Feedback welcome. > > 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This > allows IGNORE_FILES to be set in the jail. And other settings, but > that's the one I wanted. > How exactly does it work? Is jailed root allowed to create /etc/mergemaster.rc? If so, that would be a jail escape vector - an attacker puts commands they want to execute inside and mergemaster sourcing the file will trigger executing them. In fact running mergemaster from "outside" on an untrusted jail seems like a security weakness even without jailed-root controlled rc file since they can try to do something fishy with symlinks which now resolve to stuff on the host. The following should be safe enough: - have a dedicated RO jail - mount to-be-updated jail under /mnt/jail or whatever - mount sources/whatever RO under /usr/src or whatever - run update process from inside dedicated RO jail -- Mateusz Guzik <mjguzik gmail.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140713025504.GB16884>