Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail

From: Alexander Leidinger <Alexander@xxxxxxxxxxxxx>
Date: Tue, 16 Jan 2007 10:43:57 +0100

Quoting Pawel Jakub Dawidek <pjd@xxxxxxxxxxx> (from Tue, 16 Jan 2007 09:42:43 +0100):

good-guy attacker-within-a-jail

cd /jail/var/log
mktemp foo.XXX
rm -f foo.XXX
ln -s /etc/spwd.db foo.XXX
copy /path/to/jail_console.log foo.XXX
mv -f foo.XXX console.log

I did not have time to look at how the console part is handled. But out of the blue I would assume the console.log is created before the jail is started. Like:
- check if console.log is a file which we are allowed to
overwrite (no symlink pointing outside the jail)
- bail out if it points outside the jail or prefix the jail
base directory to the resulting path if it is a link
- (echo "Starting $(date)"; start_jail) >>${console.log}
The echo is there to make sure it exists and the subshell
to make sure the file is not closed. This assumes the output
is not more than line buffered (it isn't here on Solaris 10
with zsh).

Why can't we do it like this?

Bye,
Alexander.

--
" "
-- Charlie Chaplin

" "
-- Harpo Marx

" "
-- Marcel Marceau

http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

References:
- HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Colin Percival
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Pawel Jakub Dawidek
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Dirk Engling
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Pawel Jakub Dawidek
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Dirk Engling
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Pawel Jakub Dawidek
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Dirk Engling
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Colin Percival
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Dirk Engling
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Bruce Evans
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Pawel Jakub Dawidek

Prev by Date: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Next by Date: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Previous by thread: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Next by thread: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Index(es):
- Date
- Thread

Relevant Pages

Re: log all activity of a special user?
... > i just want to see averything th euser does on the console... ... You could jail them in many ...
(comp.os.linux.security)
dcons(4) console for jails
... '/usr/libexec/getty dcons dcons' inside a jail and allow the host system ... to access the console. ... It's easy to do using the dconschat TCP feature ... and using telnet to connect but I don't like the idea of allowing telnet ...
(freebsd-current)
devfs symlink over device doesnt work
... ENOENT. ... # ls -l console ... I'm using devfs in jails, and I'd like anything written (by user space ... to /dev/console to go to a file in the jail. ...
(freebsd-hackers)