Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
- From: Pawel Jakub Dawidek <pjd@xxxxxxxxxxx>
- Date: Sat, 13 Jan 2007 12:29:37 +0100
On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote:
Hello Everyone,
I usually let security advisories speak for themselves, but I want to call
special attention to this one: If you use jails, READ THE ADVISORY, in
particular the "NOTE WELL" part below; and if you have problems after applying
the security patch, LET US KNOW -- we do everything we can to make sure
that security updates will never cause problems, but in this case we could
not fix the all of the security issues without either making assumptions
about how systems are configured or reducing functionality.
In the end we opted to reduce functionality (the jail startup process is
no longer logged to /var/log/console.log inside the jail), make an assumption
about how systems are configured (filesystems which are mounted via per-jail
fstab files should not be mounted on symlinks -- if you do this, adjust your
fstab files to give the real, non-symlinked, path to the mount point), and
leave a potential security problem unfixed (if you mount any filesystems via
per-jail fstab files on mount points which are visible within multiple jails,
there are problems -- don't do this).
I don't like the way it was fixed. I do know it wasn't easy to fix.
I don't like it because it breaks almost all my current jails, because I
often use /jails/ paths in fstabs, which is actually a symlink to
/usr/jails/.
What I'd like to suggest, which seems much better way to fix the problem
is:
1. Apply the patch:
http://people.freebsd.org/~pjd/patches/realpath.patch
2. Find full path to jail's root with `realpath $_rootdir`.
3. Take first entry from /etc/fstab.<name>, for example we have a
mount-point /usr/jails/foo/usr/lib in there. Run `realpath /usr'
and compare with $_rootfulldir, if doesn't match, run `realpath
/usr/jails` and compare, if doesn't match take next path component
until we find a match.
When a match is found, what's left out is a mount-point inside a jail,
eg. '/usr/lib'. Now, run real=`realpath -c $_rootdir /usr/lib`, which
will give us full path inside a jail.
Then, we need to mount file system on $_rootdir/$real.
4. Repeat 3 for each fstab entry.
With this approch one can use symlinks in any mount-point component.
The whole complexity in point 3, is because people can have jail's root
configured as '/usr/jails/foo', but use '/jails/foo' prefix for
mount-points.
I'll keep /var/log/console.log outside a jail, because using
'realpath -c' will be dangerous once the jail is running. There could be
a race where `realpath -c` returns one path, an attacker inside a jail
changes one of resolved path's component and rc.d/jail from outside a
jail tries to use it.
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd@xxxxxxxxxxx http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
Attachment:
pgpAdR3jV7CxP.pgp
Description: PGP signature
- Follow-Ups:
- References:
- FreeBSD Security Advisory FreeBSD-SA-07:01.jail
- From: FreeBSD Security Advisories
- HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
- From: Colin Percival
- FreeBSD Security Advisory FreeBSD-SA-07:01.jail
- Prev by Date: Permission denied by op
- Next by Date: Re: Permission denied by op
- Previous by thread: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
- Next by thread: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
- Index(es):
Relevant Pages
|
|
