Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]



On Tue, Jan 23, 2007 at 01:25:08PM +0100, Alexander Leidinger wrote:
Quoting Pawel Jakub Dawidek <pjd@xxxxxxxxxxx> (from Tue, 23 Jan 2007 12:34:44 +0100):
It looks like it may work, but I still find it a bit risky. If sh(1) can
reopen the file under some conditions or someone in the future will
modify sh(1) in that way (because he won't be aware that such a change
may have impact on system security) we will have a security hole.
Chances are small, but I'm not going to be the one who will accept that
change:)

The spawned subshell is like a command. It doesn't make sense to reopen the file for a command. It's like saying we open and close the file for each line. I didn't
calculated the probability of this to happen, but I would be very surprised if it is significant. Just think about the performance of such behavior (or a more complex logic
[...] And if you think about such unlikely stuff to happen, you should also think about some other stuff we are not prepared to
survive. [...]

Come on, this argument always stands. I only wanted to point out that we
should be extra careful with building security on top of tools that are
not intended for this purpose.

[...] But feel free to propose a better solution for the problem.

The solution was proposed already - keep console.log outside of jail.

Don't read my comment as a "no" vote for your solution. If secteam@
decide there is nothing to be worry about - fine by me.

--
Pawel Jakub Dawidek http://www.wheel.pl
pjd@xxxxxxxxxxx http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!

Attachment: pgpHCtELEDXwp.pgp
Description: PGP signature