From owner-freebsd-rc@FreeBSD.ORG Wed Oct 20 19:48:07 2010 Return-Path: Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6FEBC10656A4; Wed, 20 Oct 2010 19:48:07 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (60.wheelsystems.com [83.12.187.60]) by mx1.freebsd.org (Postfix) with ESMTP id D25CA8FC1D; Wed, 20 Oct 2010 19:47:59 +0000 (UTC) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 4C68F45C9F; Wed, 20 Oct 2010 21:47:57 +0200 (CEST) Received: from localhost (chello089073192049.chello.pl [89.73.192.49]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 8FBE045C8A; Wed, 20 Oct 2010 21:47:51 +0200 (CEST) Date: Wed, 20 Oct 2010 21:47:20 +0200 From: Pawel Jakub Dawidek To: Devin Teske Message-ID: <20101020194720.GB1755@garage.freebsd.pl> References: <1286925182.32724.18.camel@localhost.localdomain> <1286996709.32724.60.camel@localhost.localdomain> <1287448781.5713.3.camel@localhost.localdomain> <1287510629.25599.2.camel@localhost.localdomain> <20101019195225.GB2127@garage.freebsd.pl> <1287540769.25599.73.camel@localhost.localdomain> <20101020100042.GE2127@garage.freebsd.pl> <1287594703.19873.58.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CdrF4e02JqNVZeln" Content-Disposition: inline In-Reply-To: <1287594703.19873.58.camel@localhost.localdomain> User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 9.0-CURRENT amd64 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-0.6 required=4.5 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.0.4 Cc: freebsd-rc@freebsd.org, Julian Elischer Subject: Re: sysrc(8) -- a sysctl(8)-like utility for managing rc.conf(5) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2010 19:48:07 -0000 --CdrF4e02JqNVZeln Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 20, 2010 at 10:11:43AM -0700, Devin Teske wrote: > > Then when you copy a > > file to $ROOTDIR/tmp/ you must be sure there is no symbolic link under > > the same name, as cp(1) will follow symblic link and you can end up > > overwriting eg. /etc/spwd.db with /bin/ls. I think it will be easier to > > just create random directory in $ROOTDIR/tmp/. This all must be done of > > course when jail is turned off. >=20 > I don't follow why the jail has be off. Because jailed root can mess with those files during your work (which is bad in chroot(8) case). > And yes, similarly, the root-user of a jail can poison the shared > libraries too, but again in the context of chroot/jexec the master host > is protected. >=20 >=20 > > Also for this reason I'd forget about chroot(8) - > > even if you remember about libraries, there might still be malicious > > configuration files, etc. so jexec(8) is the only option. >=20 > I fail to see the difference between chroot(8) and jexec(8). Both rely > on chroot(2). So why do you think we have jail and not only chroot? File system namespace is not everything. when you chroot, a malicious command has still access to all the other namespaces - non-jailed processes being one. It can then use ptrace to attach to non-jailed process and run with its privileges and restrictions, ie. outside chroot. Being able to even signal non-jailed processes alone is not good either. There are plenty of ways to escape from a chroot when you are root. chroot might be quite ok when you are running as regular user, but you still have access to various namespaces even if read-only. There also might be uid collision - non-jailed uid=3D1000 user might not be the same as jailed uid=3D1000 user, but when running in chroot with this uid you can use non-jailed uid=3D1000 process to escape. chroot wasn't really designed for what it is used and for what you are trying to use it. > > Maybe it > > will be wiser to just limit your script to operate within > > fully-populated jails, so that you can always call 'jexec sysrc'? >=20 > While that remains an option (and indeed a very valid approach since a > "service jail" -- that is, a light-weight jail for running single > daemons etc. in -- is unlikely to have a complementary set of rc.conf(5) > files). >=20 > Though I believe it to still be worth the effort to find a safe-way of > reaching into the jail to perform the action because it's nice for > developers to be able to depend on the script to get the job done > regardless of whether (a) the jail has the script, (b) the jail has an > untainted copy of the script (though admittedly the latter depends on > untainted dependencies such as sh(1), grep(1), cp(1), etc.). >=20 > But alas, if a safe-way can't be found, then assuredly the `-R dir' and > `-j jail' options should be removed and the recommendation would be that > they just copy the script into the jail. The -R option is still useful in the same way DESTDIR is useful for installworld/installkernel and -D option for mergemaster(8). --=20 Pawel Jakub Dawidek http://www.wheelsystems.com pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --CdrF4e02JqNVZeln Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAky/R0gACgkQForvXbEpPzRVyACgwudKSUCCOVZfvwZxtB9QMgYa VKEAoIbc5enQcvHpiPz+elPb3Xg/Hoap =HbAd -----END PGP SIGNATURE----- --CdrF4e02JqNVZeln--