Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

On 2007.01.20 14:03:08 +0100, Pawel Jakub Dawidek wrote:
On Sat, Jan 20, 2007 at 01:24:33PM +0100, Simon L. Nielsen wrote:
[...]
BTW. with regard to the console.log file I really don't think it
should be put back inside the jail unless it's possible to make the
generation of the file entirely inside the jail since it's just not
worth the risk/complexity. I think it should be possible to do this
with jail(8) in -CURRENT (see -J flag), but:

When -J operates on a file inside a jail, it create the same security
hole as the one from security advisory, because it opens a file before
calling jail(2).

My thought with using -J was not place the info about jid in a file
outside the jail root, basically (pseudo code):

_tmpfile=`mktemp...`
jail -J $_tmpfile "sh /etc/rc > /var/log/console.log"
_jid=`cat $_tmpfile | something`

At least that was what I thought might be possible with the -J switch
when I noticed it existed. In any case, actually coding this,
verifying that it works and is safe is left up to anyone who cares
about having console.log inside the jail.

--
Simon L. Nielsen
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages