Re: Closing information leaks in jails?
From: Attila Nagy (bra_at_fsn.hu)
Date: 08/19/05
- Previous message: Nate Nielsen: "Re: Closing information leaks in jails?"
- In reply to: Nate Nielsen: "Re: Closing information leaks in jails?"
- Next in thread: Pawel Malachowski: "Re: Closing information leaks in jails?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Aug 2005 10:20:14 +0200 To: nielsen@memberwebs.com
Nate Nielsen wrote:
> For me this only shows the alias assigned to the jail.
You are right.
>>- full dmesg output after boot and the kernel buffer when it overflows
>>(can contain sensitive information)
> Yes, this is important. Use:
> sysctl -w security.bsd.unprivileged_read_msgbuf=0
Hmm, thanks, that was a new info for me.
> only shows connections to the current jail. It does show the output from
> 'netstat -m' and those sort of things, but those say nothing over the
> network load of the current machine.
Yes, they are not that critical.
>>- information about configured swap space via swapinfo
> Not sure I see how this could be used against you.
Nothing bad, but I can imagine a situation where the operator of the
host machine wants to hide everything about the real specifications. For
example if the machine is overbooked and the swap is lightly or heavily
used, etc.
>>- NFS related statistics via nfsstat
> Again only statistics. Not sure how this is a problem.
For me, they are not, just another thing, which could be guessed about
the host and not the jail (if I am right).
>>- a lot of interesting stuff via sysctl
> Yes, there's a lot there, but a lot *is* filtered out in a jail.
Yep.
> My suggestion would be to file bugs one by one for each piece of
> information that causes you concern along with the reasoning of why that
> information is dangerous or sensitive.
The biggest issue for me was dmesg and the ARP table. All of the others
were there, because I wanted to know, what else could an unprivileged
user guess about the host.
I will open a PR with the ARP table issue.
> The FreeBSD developers have been atentive to these things, and have
> added functionality in almost each release to minimize information
> available in a jail. So pointing specific issues out will probably get
> good results.
Yes, last time I checked these, the user in a jail could list all of the
mounted file systems. Now it is less chatty. :)
Thanks,
-- Attila Nagy e-mail: Attila.Nagy@fsn.hu Adopt a directory on our free software phone @work: +361 371 3536 server! http://www.fsn.hu/?f=brick cell.: +3630 306 6758 _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Nate Nielsen: "Re: Closing information leaks in jails?"
- In reply to: Nate Nielsen: "Re: Closing information leaks in jails?"
- Next in thread: Pawel Malachowski: "Re: Closing information leaks in jails?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
