HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail

Hello Everyone,

I usually let security advisories speak for themselves, but I want to call
special attention to this one: If you use jails, READ THE ADVISORY, in
particular the "NOTE WELL" part below; and if you have problems after applying
the security patch, LET US KNOW -- we do everything we can to make sure
that security updates will never cause problems, but in this case we could
not fix the all of the security issues without either making assumptions
about how systems are configured or reducing functionality.

In the end we opted to reduce functionality (the jail startup process is
no longer logged to /var/log/console.log inside the jail), make an assumption
about how systems are configured (filesystems which are mounted via per-jail
fstab files should not be mounted on symlinks -- if you do this, adjust your
fstab files to give the real, non-symlinked, path to the mount point), and
leave a potential security problem unfixed (if you mount any filesystems via
per-jail fstab files on mount points which are visible within multiple jails,
there are problems -- don't do this).

While this is not ideal, this security issue was extraordinarily messy due to
the power and flexibility of the jails and the jail rc.d script. I can't
recall any other time when the security team has spent this long trying to
find a working patch for a security issue. I'd like to publicly thank Simon
Nielsen for the many many hours he spent working on this issue, as well as
the release engineering team for being very patient with us and delaying the
upcoming release to give us time to fix this.

Sincerely,
Colin Percival
FreeBSD Security Officer

FreeBSD Security Advisories wrote:
=============================================================================
FreeBSD-SA-07:01.jail Security Advisory
The FreeBSD Project

Topic: Jail rc.d script privilege escalation

[snip]

NOTE WELL: The solution described changes the default location of the
"console.log" for jails from /var/log/console.log inside each jail to
/var/log/jail_${jail_name}_console.log on host system. If this is a
problem, it may be possible to create a hard link from the new position
of the console log file to a location inside the jail. A new rc.conf(5)
variable, jail_${jail_name}_consolelog, can be used to change the
location of console.log files on a per-jail basis.

In addition, the solution described below does not fully secure jail
configurations where two jails have overlapping directory trees and a
file system is mounted inside the overlap. Overlapping directory
trees can occur when jails share the same root directory; when a jail
has a root directory which is a subdirectory of another jail's root
directory; or when a part of the file system space of one jail is
mounted inside the file system space of another jail, e.g., using
nullfs or unionfs.

To handle overlapping jails safely the administrator must set the
sysctl(8) variable security.jail.chflags_allowed to 0 (the default)
and manually set the "sunlnk" file/directory flag on all mount points
and all parent directories of mount points. If this is done while
jails are running, the adminstrator must check that an attacker has
not replaced any directories with symlinks after setting the "sunlnk"
flag.

[snip]

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:01.jail.asc

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Secure shared web hosting using MAC Framework
    ... run the web server and web users shell in a jail, ... Those rights should have priority on any traditional unix file ... This directive allows you to disable certain functions for security reasons. ... Web users and executed web scripts shouldn't be able to read ...
    (FreeBSD-Security)
  • Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
    ... I usually let security advisories speak for themselves, ... In the end we opted to reduce functionality (the jail startup process is ... fstab files should not be mounted on symlinks -- if you do this, ...
    (FreeBSD-Security)
  • Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
    ... I usually let security advisories speak for themselves, ... In the end we opted to reduce functionality (the jail startup process is ... fstab files should not be mounted on symlinks -- if you do this, ...
    (freebsd-stable)
  • HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
    ... I usually let security advisories speak for themselves, ... In the end we opted to reduce functionality (the jail startup process is ... leave a potential security problem unfixed (if you mount any filesystems via ...
    (freebsd-stable)
  • Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
    ... I usually let security advisories speak for themselves, ... In the end we opted to reduce functionality (the jail startup process is ... symlinked parent directories before. ... fstab files should not be mounted on symlinks -- if you do this, ...
    (freebsd-stable)