Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

From: Pawel Jakub Dawidek <pjd@xxxxxxxxxxx>
Date: Sat, 20 Jan 2007 14:03:08 +0100

On Sat, Jan 20, 2007 at 01:24:33PM +0100, Simon L. Nielsen wrote:
[...]

BTW. with regard to the console.log file I really don't think it
should be put back inside the jail unless it's possible to make the
generation of the file entirely inside the jail since it's just not
worth the risk/complexity. I think it should be possible to do this
with jail(8) in -CURRENT (see -J flag), but:

When -J operates on a file inside a jail, it create the same security
hole as the one from security advisory, because it opens a file before
calling jail(2).
I fully agree that console.log should be outside a jail. At least noone
proposed safe solution so far, which also means it's not an easy fix.

--
Pawel Jakub Dawidek http://www.wheel.pl
pjd@xxxxxxxxxxx http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!

Attachment: pgpRpYQQThk2t.pgp
Description: PGP signature

Follow-Ups:
- Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]
  - From: Alexander Leidinger
- Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]
  - From: Dirk Engling
- Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]
  - From: Simon L. Nielsen

References:
- FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: FreeBSD Security Advisories
- HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Colin Percival
- Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
  - From: Pawel Jakub Dawidek
- Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]
  - From: Simon L. Nielsen

Prev by Date: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]
Next by Date: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]
Previous by thread: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]
Next by thread: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]
Index(es):
- Date
- Thread

Relevant Pages

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBS
... should be put back inside the jail unless it's possible to make the ... worth the risk/complexity. ... hole as the one from security advisory, because it opens a file before ... which also means it's not an easy fix. ...
(freebsd-stable)
Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBS
... should be put back inside the jail unless it's possible to make the ... worth the risk/complexity. ... hole as the one from security advisory, because it opens a file before ... At least that was what I thought might be possible with the -J switch ...
(freebsd-stable)
Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBS
... should be put back inside the jail unless it's possible to make the ... worth the risk/complexity. ... hole as the one from security advisory, because it opens a file before ... At least that was what I thought might be possible with the -J switch ...
(FreeBSD-Security)
Hakim Saad Atef will confer Endora
... commerce, whilst Abdul reluctantly multiplys them too. ... faithful succession. ... answering belt worth my lap. ... jail now, won't offer jails later. ...
(sci.crypt)
Re: Stupid Arse Hole who over cheated
... The 4 years jail was a little too much for this lady in comparision to ... how much $$78.9 tirillion dollar is worth. ... probably thinks $$78 trilllion is the same as philipinne pesos or even ... The bank manager obviously knew it iwas not possible ot have a depsoit ...
(soc.culture.singapore)