Re: bind() on 127.0.0.1 in jail: bound to the outside address?

From: Bryan Fullerton (fehwalker_at_gmail.com)
Date: 02/28/05 

Date: Mon, 28 Feb 2005 16:12:28 -0500
To: freebsd-arch@freebsd.org, freebsd-security@freebsd.org

I'd noticed this as well, but assumed it was a feature. Given that
there's only one IP inside the jail, how do you bind to a loopback IP
that doesn't exist?

I suspect the behavior you're seeing is another 'simple hack' to allow
binding to the loopback IP to not just immediately fail with "unable
to bind".

If this isn't documented somewhere (I didn't bother to check, it made
sense to me once I figured out what it was doing) it should be. I have
noticed that documentation of jail in the handbook in general is a bit
lacking, maybe I'll see if I can find time to look at that (heh).

Bryan

On Tue, 1 Mar 2005 00:25:48 +0800, Xin LI <delphij@frontfree.net> wrote:
> Dear folks,
>
> It seems that doing bind() inside a jail (whose IP address is an outside
> address), will result in some wierd behavior, that the actual bind is
> done on the outside address.
>
> For example, binding to 127.0.0.1:6666 inside a jail addressed 192.168.1.1,
> will finally result in a bind to 192.168.1.1:6666. With this in mind,
> it is possible that some formerly secure configuration fail in jail
> environment.
>
> It seems that our implementation will forward every loopback connection
> to the outside address. A simple hack to work around this issue might
> be to modify the individual bind procedures to treat prison case with
> loopback address, but I'm not sure if a true solution can solve the
> issue with minimum code change and code complexity.
>
> Your ideas are highly appreciated!
>
> Cheers,
> --
> Xin LI <delphij frontfree net> http://www.delphij.net/
> See complete headers for GPG key and other information.
>
>
>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Relevant Pages

  • right in search of drunk art
    ... Hassan's selection. ... I bind once, invent shyly, then release ... in conjunction with the plastic as for the jail. ...
    (sci.crypt)
  • Re: BIND inside a jail on FreeBSD 6.0
    ... devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted ... (I realize that BIND already runs in a chroot'd environment, ... I tried mounting the devfs outside the jail to the jail's ...
    (freebsd-questions)
  • Re: chroot versus jail for the name daemon
    ... > assuming named is running as user and group bind (rather than as root)? ... > 3) What happens if named is broken while in a jail, ... That means an attacker can set things up so ...
    (freebsd-questions)
  • bind() on 127.0.0.1 in jail: bound to the outside address?
    ... It seems that doing bind() inside a jail (whose IP address is an outside ... It seems that our implementation will forward every loopback connection ... issue with minimum code change and code complexity. ...
    (FreeBSD-Security)
  • bind() on 127.0.0.1 in jail: bound to the outside address?
    ... It seems that doing bind() inside a jail (whose IP address is an outside ... It seems that our implementation will forward every loopback connection ... issue with minimum code change and code complexity. ...
    (freebsd-arch)