Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pawel Jakub Dawidek wrote:

I'll keep /var/log/console.log outside a jail, because using
'realpath -c' will be dangerous once the jail is running. There could be
a race where `realpath -c` returns one path, an attacker inside a jail
changes one of resolved path's component and rc.d/jail from outside a
jail tries to use it.

A simple way to prevent race conditions (here an example to mount devfs
into jails) is:

cd ${jail_root}
j_root=`pwd`
cd ${jail_dev_dir}
j_dev=`pwd`
eval evil_doer=\$\{j_dev#${j_root}\}
[ "$evil_doer" = "$j_dev" ] && exit
mount_devfs devfs .

To do the same with console.log (I _really_ like this feature and would
want it re-enabled asap) you can use something like:

cd ${jail_root}
j_root=`pwd`
cd ${jail_var_log_dir}
j_var_log=`pwd`
eval evil_doer=\$\{j_var_log#${j_root}\}
[ "$evil_doer" = "$j_var_log" ] && exit
cp -f ${temp_log} console.log

Regards

erdgeist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFq9x8ImmQdUyYEgkRAhcjAJ9DYuE4Dfe7A+MexLZ7UgQOgUd12ACgjoxO
4SlRxdYlOXsAVDvfeSeu+e8=
=Xz64
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Jail Statistics Re: Graham Crackers
    ... It relates to race only in that some races are more represented in the lower ... black men going to jail. ... >> And the people in jail generally reflect only crime among the under ... > disproportionate representation of those at the "bottom" of the socio ...
    (misc.rural)
  • Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
    ... 'realpath -c' will be dangerous once the jail is running. ... A simple way to prevent race conditions (here an example to mount devfs ... # echo $j_root ...
    (FreeBSD-Security)
  • New jail related rc.conf variable
    ... there were some variables controlling whether or not I want to mount devfs ... or procfs, I did not found any simple way to use some nullfs or unionfs ... I though that the jail rc script was laking ...
    (freebsd-current)
  • New jail related rc.conf variable
    ... there were some variables controlling whether or not I want to mount devfs ... or procfs, I did not found any simple way to use some nullfs or unionfs ... I though that the jail rc script was laking ...
    (freebsd-current)
  • Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
    ... I usually let security advisories speak for themselves, ... In the end we opted to reduce functionality (the jail startup process is ... fstab files should not be mounted on symlinks -- if you do this, ... Find full path to jail's root with `realpath $_rootdir`. ...
    (FreeBSD-Security)