From owner-freebsd-security@FreeBSD.ORG Thu Jan 11 06:55:29 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 949C716A407 for ; Thu, 11 Jan 2007 06:55:29 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 548B913C441 for ; Thu, 11 Jan 2007 06:55:29 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1H4tdT-0005LH-G9; Thu, 11 Jan 2007 09:42:03 +0300 Date: Thu, 11 Jan 2007 09:41:57 +0300 From: Eygene Ryabinkin To: cperciva@freebsd.org Message-ID: <20070111064156.GM14822@codelabs.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_50 Cc: freebsd-security@freebsd.org Subject: Recent vulnerabilities in xorg-server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2007 06:55:29 -0000 Colin, good day! Spotted two patches for x11-servers/xorg-server port: see entries for x11r6.9.0-dbe-render.diff and x11r6.9.0-cidfonts.diff at http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html Seems like they are not applied to the xorg-server-6.9.0_5. May be it should be added to the VuXML document? There is a ports/107733 issue that incorporates these patches. May be you should have a look. Thanks! -- Eygene From owner-freebsd-security@FreeBSD.ORG Thu Jan 11 07:47:56 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 978C416A403 for ; Thu, 11 Jan 2007 07:47:56 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.freebsd.org (Postfix) with ESMTP id 5B01013C469 for ; Thu, 11 Jan 2007 07:47:56 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id C1ECD92FD30; Thu, 11 Jan 2007 08:22:42 +0100 (CET) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 30557-10; Thu, 11 Jan 2007 08:22:36 +0100 (CET) Received: from redqueen.evilcoder-services.org (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id 0E26492FD1A; Thu, 11 Jan 2007 08:22:36 +0100 (CET) Received: by redqueen.evilcoder-services.org (Postfix, from userid 1001) id DD0A266AF; Thu, 11 Jan 2007 08:22:35 +0100 (CET) Date: Thu, 11 Jan 2007 08:22:35 +0100 From: Remko Lodder To: Eygene Ryabinkin Message-ID: <20070111072235.GA79783@elvandar.org> References: <20070111064156.GM14822@codelabs.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070111064156.GM14822@codelabs.ru> User-Agent: Mutt/1.5.13 (2006-08-11) X-Virus-Scanned: Maia Mailguard 1.0.1 at elvandar.org Cc: freebsd-security@freebsd.org, cperciva@freebsd.org Subject: Re: Recent vulnerabilities in xorg-server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2007 07:47:56 -0000 On Thu, Jan 11, 2007 at 09:41:57AM +0300, Eygene Ryabinkin wrote: > Colin, good day! > > Spotted two patches for x11-servers/xorg-server port: see entries for > x11r6.9.0-dbe-render.diff and x11r6.9.0-cidfonts.diff at > http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html > Seems like they are not applied to the xorg-server-6.9.0_5. May be > it should be added to the VuXML document? > > There is a ports/107733 issue that incorporates these patches. May > be you should have a look. > > Thanks! > -- > Eygene Goodmorning Eygene, Thanks for the notification! We are kinda busy at the moment, so if you could spare a minute and write a VuXML entry (a draft would also suffice), we can more easily add it. If you are unable to do so, no probs, but it is likely to take a bit longer to get the things incorporated. Thanks for using FreeBSD and your willingness to improve the product! It is being appriciated. Cheers, Remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */ From owner-freebsd-security@FreeBSD.ORG Thu Jan 11 07:56:25 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5A24816A403; Thu, 11 Jan 2007 07:56:25 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 039B513C458; Thu, 11 Jan 2007 07:56:25 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1H4unM-0005QZ-Vy; Thu, 11 Jan 2007 10:56:21 +0300 Date: Thu, 11 Jan 2007 10:56:16 +0300 From: Eygene Ryabinkin To: Remko Lodder Message-ID: <20070111075616.GB20642@codelabs.ru> References: <20070111064156.GM14822@codelabs.ru> <20070111072235.GA79783@elvandar.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="H1spWtNR+x+ondvy" Content-Disposition: inline In-Reply-To: <20070111072235.GA79783@elvandar.org> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.5 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-security@freebsd.org, cperciva@freebsd.org Subject: Re: Recent vulnerabilities in xorg-server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2007 07:56:25 -0000 --H1spWtNR+x+ondvy Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Remko, good day! > Thanks for the notification! We are kinda busy at the > moment, so if you could spare a minute and write a > VuXML entry (a draft would also suffice), we can > more easily add it. If you are unable to do so, no > probs, but it is likely to take a bit longer to > get the things incorporated. Attached. The discovery date is given by the date of the original posts in Securityfocus bugtraq list: http://www.securityfocus.com/archive/1/456437/30/0/threaded http://www.securityfocus.com/archive/1/456434/30/0/threaded http://www.securityfocus.com/archive/1/456434/30/0/threaded The disclosure timeline is different (the same for all three posts): ----- VIII. DISCLOSURE TIMELINE 12/04/2006 Initial vendor notification 12/05/2006 Initial vendor response 01/09/2007 Coordinated public disclosure ----- > Thanks for using FreeBSD and your willingness to improve > the product! It is being appriciated. You're welcome ;)) -- Eygene --H1spWtNR+x+ondvy Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="vuxml.log" xorg-server -- multiple vulnerabilities. xorg-server 6.9.0_5

x11r6.9.0-dbe-render.diff

CVE-2006-6101 CVE-2006-6102 CVE-2006-6103: The ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and ProcRenderAddGlyphs() functions in the X server, implementing requests for the dbe and render extensions, may be used to overwrite data on the stack or in other parts of the X server memory.

x11r6.9.0-cidfonts.diff

CVE-2006-2006-3739 and CVE 2006-3740: It may be possible for a user with the ability to set the X server font path, by making it point to a malicious font, to cause arbitrary code execution or denial of service on the X server.

ports/107733 CVE-2006-3739 CVE-2006-3740 CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 http://xorg.freedesktop.org/releases/X11R6.9.0/patches/index.html 2007-01-09 2007-01-11
--H1spWtNR+x+ondvy-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 11 18:41:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 290AB16A47C; Thu, 11 Jan 2007 18:41:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 15A3913C448; Thu, 11 Jan 2007 18:41:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l0BIfWOJ015233; Thu, 11 Jan 2007 18:41:32 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l0BIfWOn015231; Thu, 11 Jan 2007 18:41:32 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 11 Jan 2007 18:41:32 GMT Message-Id: <200701111841.l0BIfWOn015231@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2007 18:41:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:01.jail Security Advisory The FreeBSD Project Topic: Jail rc.d script privilege escalation Category: core Module: etc_rc.d Announced: 2007-01-11 Credits: Dirk Engling Affects: All FreeBSD releases since 5.3 Corrected: 2007-01-11 18:16:58 UTC (RELENG_6, 6.2-STABLE) 2007-01-11 18:17:24 UTC (RELENG_6_2, 6.2-RELEASE) 2007-01-11 18:18:08 UTC (RELENG_6_1, 6.1-RELEASE-p12) 2007-01-11 18:18:35 UTC (RELENG_6_0, 6.0-RELEASE-p17) 2007-01-11 18:18:57 UTC (RELENG_5, 5.5-STABLE) 2007-01-11 18:19:33 UTC (RELENG_5_5, 5.5-RELEASE-p10) CVE Name: CVE-2007-0166 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. The host's jail rc.d(8) script can be used to start and stop jails automatically on system boot/shutdown. II. Problem Description In multiple situations the host's jail rc.d(8) script does not check if a path inside the jail file system structure is a symbolic link before using the path. In particular this is the case when writing the output from the jail start-up to /var/log/console.log and when mounting and unmounting file systems inside the jail directory structure. III. Impact Due to the lack of handling of potential symbolic links the host's jail rc.d(8) script is vulnerable to "symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. This in turn can be used to execute arbitrary commands with non-jailed superuser privileges. Similarly, by changing directory mount points inside the jail file system structure into symbolic links, it may be possible for a jailed attacker to mount file systems which were meant to be mounted inside the jail at arbitrary points in the host file system structure, or to unmount arbitrary file systems on the host system. NOTE WELL: The above vulnerabilities occur only when a jail is being started or stopped using the host's jail rc.d(8) script; once started (and until stopped), running jails cannot exploit this. IV. Workaround If the sysctl(8) variable security.jail.chflags_allowed is set to 0 (the default), setting the "sunlnk" system flag on /var, /var/log, /var/log/console.log, and all file system mount points and their parent directories inside the jail(s) will ensure that the console log file and mount points are not replaced by symbolic links. If this is done while jails are running, the administrator must check that an attacker has not replaced any directories with symlinks after setting the "sunlnk" flag. V. Solution NOTE WELL: The solution described changes the default location of the "console.log" for jails from /var/log/console.log inside each jail to /var/log/jail_${jail_name}_console.log on host system. If this is a problem, it may be possible to create a hard link from the new position of the console log file to a location inside the jail. A new rc.conf(5) variable, jail_${jail_name}_consolelog, can be used to change the location of console.log files on a per-jail basis. In addition, the solution described below does not fully secure jail configurations where two jails have overlapping directory trees and a file system is mounted inside the overlap. Overlapping directory trees can occur when jails share the same root directory; when a jail has a root directory which is a subdirectory of another jail's root directory; or when a part of the file system space of one jail is mounted inside the file system space of another jail, e.g., using nullfs or unionfs. To handle overlapping jails safely the administrator must set the sysctl(8) variable security.jail.chflags_allowed to 0 (the default) and manually set the "sunlnk" file/directory flag on all mount points and all parent directories of mount points. If this is done while jails are running, the adminstrator must check that an attacker has not replaced any directories with symlinks after setting the "sunlnk" flag. Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.5] # fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch # fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch.asc [FreeBSD 6.0] # fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch # fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch.asc [FreeBSD 6.1] # fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch # fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # install -o root -g wheel -m 555 etc/rc.d/jail /etc/rc.d VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/etc/rc.d/jail 1.15.2.6 RELENG_5_5 src/UPDATING 1.342.2.35.2.10 src/sys/conf/newvers.sh 1.62.2.21.2.12 src/etc/rc.d/jail 1.15.2.5.2.1 RELENG_6 src/etc/rc.d/jail 1.23.2.9 RELENG_6_2 src/UPDATING 1.416.2.29.2.2 src/etc/rc.d/jail 1.23.2.7.2.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.14 src/sys/conf/newvers.sh 1.69.2.11.2.14 src/etc/rc.d/jail 1.23.2.3.2.3 RELENG_6_0 src/UPDATING 1.416.2.3.2.22 src/sys/conf/newvers.sh 1.69.2.8.2.18 src/etc/rc.d/jail 1.23.2.2.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0166 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:01.jail.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFpoQEFdaIBMps37IRAqtSAJoDNEO9woA7ZF1hbCuhbjFzhnXSfgCgjRH/ bapC5/eS7eAipiguG2DFdls= =a8el -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jan 11 21:21:23 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9B78216A403 for ; Thu, 11 Jan 2007 21:21:23 +0000 (UTC) (envelope-from kgn@network-it.dk) Received: from mail.network-it.dk (213.237.43.149.adsl.noe.worldonline.dk [213.237.43.149]) by mx1.freebsd.org (Postfix) with ESMTP id 54AC813C428 for ; Thu, 11 Jan 2007 21:21:23 +0000 (UTC) (envelope-from kgn@network-it.dk) Received: from localhost (localhost [127.0.0.1]) by mail.network-it.dk (Postfix) with ESMTP id 2FACA115B1 for ; Thu, 11 Jan 2007 22:02:18 +0100 (CET) Received: from mail.network-it.dk ([127.0.0.1]) by localhost (mailserver.network-it.dk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 39886-02 for ; Thu, 11 Jan 2007 22:02:13 +0100 (CET) Received: from modesty-blaise.network-it.dk (modesty-blaise.network-it.dk [172.31.65.3]) by mail.network-it.dk (Postfix) with ESMTP id 85A3A115A3 for ; Thu, 11 Jan 2007 22:02:12 +0100 (CET) From: Kim G Nielsen To: freebsd-security@freebsd.org Message-ID: Date: Thu, 11 Jan 2007 22:02:10 +0100 X-MIMETrack: Serialize by Router on Modesty-Blaise/Network-IT(Release 7.0|August 18, 2005) at 11.01.2007 22:02:11 MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: quoted-printable X-Virus-Scanned: amavisd-new at network-it.dk Subject: Kim G. Nielsen - Network-IT er ikke at =?iso-8859-1?q?tr=E6ffe?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2007 21:21:23 -0000 I will be out of the office starting 05-01-2007 and will not return un= til 16-01-2007. Jeg er ikke at tr=E6ffe f=F8r 2007-01-16. Hvis der er noget der ikke kan vente til jeg er tilbage, s=E5 kontakt P= eder Larsen (E pla@network-it.dk M +45 2222 3703), eller l=E6g besked p=E5 m= in mobil +45 2222 3701 (bliver aflyttet en gang i d=F8gnet). =3D:-) Kim Gr=F8nborg Nielsen = From owner-freebsd-security@FreeBSD.ORG Fri Jan 12 00:50:21 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D5F2916A415 for ; Fri, 12 Jan 2007 00:50:21 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id AB3D313C44B for ; Fri, 12 Jan 2007 00:50:21 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mr8so.prod.shaw.ca (pd5mr8so-qfe3.prod.shaw.ca [10.0.141.184]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JBQ005EBCYWX6E0@l-daemon> for freebsd-security@freebsd.org; Thu, 11 Jan 2007 17:49:44 -0700 (MST) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd5mr8so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JBQ00LN3CYVPHO0@pd5mr8so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 11 Jan 2007 17:49:44 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JBQ00A0YCYU8RK2@l-daemon> for freebsd-security@freebsd.org; Thu, 11 Jan 2007 17:49:43 -0700 (MST) Received: (qmail 62469 invoked from network); Fri, 12 Jan 2007 00:51:02 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Fri, 12 Jan 2007 00:51:02 +0000 Date: Thu, 11 Jan 2007 16:51:02 -0800 From: Colin Percival In-reply-to: <200701111841.l0BIfWOn015231@freefall.freebsd.org> To: freebsd-security@freebsd.org Message-id: <45A6DB76.40800@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: freebsd-stable@freebsd.org Subject: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2007 00:50:21 -0000 Hello Everyone, I usually let security advisories speak for themselves, but I want to call special attention to this one: If you use jails, READ THE ADVISORY, in particular the "NOTE WELL" part below; and if you have problems after applying the security patch, LET US KNOW -- we do everything we can to make sure that security updates will never cause problems, but in this case we could not fix the all of the security issues without either making assumptions about how systems are configured or reducing functionality. In the end we opted to reduce functionality (the jail startup process is no longer logged to /var/log/console.log inside the jail), make an assumption about how systems are configured (filesystems which are mounted via per-jail fstab files should not be mounted on symlinks -- if you do this, adjust your fstab files to give the real, non-symlinked, path to the mount point), and leave a potential security problem unfixed (if you mount any filesystems via per-jail fstab files on mount points which are visible within multiple jails, there are problems -- don't do this). While this is not ideal, this security issue was extraordinarily messy due to the power and flexibility of the jails and the jail rc.d script. I can't recall any other time when the security team has spent this long trying to find a working patch for a security issue. I'd like to publicly thank Simon Nielsen for the many many hours he spent working on this issue, as well as the release engineering team for being very patient with us and delaying the upcoming release to give us time to fix this. Sincerely, Colin Percival FreeBSD Security Officer FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-07:01.jail Security Advisory > The FreeBSD Project > > Topic: Jail rc.d script privilege escalation > > [snip] > > NOTE WELL: The solution described changes the default location of the > "console.log" for jails from /var/log/console.log inside each jail to > /var/log/jail_${jail_name}_console.log on host system. If this is a > problem, it may be possible to create a hard link from the new position > of the console log file to a location inside the jail. A new rc.conf(5) > variable, jail_${jail_name}_consolelog, can be used to change the > location of console.log files on a per-jail basis. > > In addition, the solution described below does not fully secure jail > configurations where two jails have overlapping directory trees and a > file system is mounted inside the overlap. Overlapping directory > trees can occur when jails share the same root directory; when a jail > has a root directory which is a subdirectory of another jail's root > directory; or when a part of the file system space of one jail is > mounted inside the file system space of another jail, e.g., using > nullfs or unionfs. > > To handle overlapping jails safely the administrator must set the > sysctl(8) variable security.jail.chflags_allowed to 0 (the default) > and manually set the "sunlnk" file/directory flag on all mount points > and all parent directories of mount points. If this is done while > jails are running, the adminstrator must check that an attacker has > not replaced any directories with symlinks after setting the "sunlnk" > flag. > > [snip] > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-07:01.jail.asc From owner-freebsd-security@FreeBSD.ORG Fri Jan 12 03:41:05 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2B00316A403 for ; Fri, 12 Jan 2007 03:41:05 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: from mail.h3q.com (mail.h3q.com [217.13.206.148]) by mx1.freebsd.org (Postfix) with ESMTP id 7A04813C448 for ; Fri, 12 Jan 2007 03:41:04 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: (qmail 70684 invoked from network); 12 Jan 2007 03:41:03 -0000 Received: from unknown (HELO ?192.168.23.144?) (cryx@85.178.96.83) by mail.h3q.com with AES256-SHA encrypted SMTP; 12 Jan 2007 03:41:03 -0000 Message-ID: <45A7034B.3070002@h3q.com> Date: Fri, 12 Jan 2007 04:40:59 +0100 From: Philipp Wuensche User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Mark Andrews References: <200701120338.l0C3cEXG077286@drugs.dv.isc.org> In-Reply-To: <200701120338.l0C3cEXG077286@drugs.dv.isc.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2007 03:41:05 -0000 Mark Andrews wrote: >> I'm not sure I understand that quite correct, where is this problem >> appearing? >> >> Other things: >> >> tail is used in line 230: tail -r ${_fstab} | while read _device >> _mountpt _rest; do >> >> If the per-jail fstab is larger than 10 lines, which is the default of >> tail to show, the remaining mountpoints will not be unmounted? > > The default for the -r option is to display all of the input. Ah, didn't know that. Thanks for correcting me there. greetings, philipp From owner-freebsd-security@FreeBSD.ORG Fri Jan 12 03:54:23 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 85CB616A403 for ; Fri, 12 Jan 2007 03:54:23 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: from mail.h3q.com (mail.h3q.com [217.13.206.148]) by mx1.freebsd.org (Postfix) with ESMTP id EC6A313C44C for ; Fri, 12 Jan 2007 03:54:22 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: (qmail 66382 invoked from network); 12 Jan 2007 03:27:38 -0000 Received: from unknown (HELO ?192.168.23.144?) (cryx@85.178.96.83) by mail.h3q.com with AES256-SHA encrypted SMTP; 12 Jan 2007 03:27:38 -0000 Message-ID: <45A70026.2010601@h3q.com> Date: Fri, 12 Jan 2007 04:27:34 +0100 From: Philipp Wuensche User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Colin Percival References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> In-Reply-To: <45A6DB76.40800@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2007 03:54:23 -0000 Colin Percival wrote: > Hello Everyone, > > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after applying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. > > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail) Thats a bummer, when Dirk showed me this problem the first time my ideas for fixing this problem without losing the functionality where changing flags on the file so it can't be removed or/and checking if it is really a file or a symlink instead. Of course you have to check if /var/log has symlinked parent directories before. First is quite problematic and setting flags on file is something scripts which create a jail in the first place probably have to bother with so option two would be my approach. Did I miss a possible problem with that idea? > (filesystems which are mounted via per-jail > fstab files should not be mounted on symlinks -- if you do this, adjust your > fstab files to give the real, non-symlinked, path to the mount point), and If I understand the patch correct it checks recursive all parent directories of a mountpoint in is_symlinked_mountpoint(), wouldn't it be better to just check for a symlinked parent directory up to and not including ${_rootdir}? I think that wouldn't weaken security and people would be allowed to use symlinks for their jail root-directories and above. I already know some setups which will break with the current patch. > leave a potential security problem unfixed (if you mount any filesystems via > per-jail fstab files on mount points which are visible within multiple jails, > there are problems -- don't do this). I'm not sure I understand that quite correct, where is this problem appearing? Other things: tail is used in line 230: tail -r ${_fstab} | while read _device _mountpt _rest; do If the per-jail fstab is larger than 10 lines, which is the default of tail to show, the remaining mountpoints will not be unmounted? Anyway thanks to the freebsd team. greetings, philipp From owner-freebsd-security@FreeBSD.ORG Fri Jan 12 04:29:54 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD31C16A407 for ; Fri, 12 Jan 2007 04:29:54 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id B1F1213C428 for ; Fri, 12 Jan 2007 04:29:54 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mr7so.prod.shaw.ca (pd3mr7so-qfe3.prod.shaw.ca [10.0.141.23]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JBQ004XGN2T6SB0@l-daemon> for freebsd-security@freebsd.org; Thu, 11 Jan 2007 21:28:05 -0700 (MST) Received: from pn2ml6so.prod.shaw.ca ([10.0.121.150]) by pd3mr7so.prod.shaw.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0JBQ00K66N2S2N21@pd3mr7so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 11 Jan 2007 21:28:05 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JBQ00CXGN2O4140@l-daemon> for freebsd-security@freebsd.org; Thu, 11 Jan 2007 21:28:01 -0700 (MST) Received: (qmail 68154 invoked from network); Fri, 12 Jan 2007 04:29:25 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Fri, 12 Jan 2007 04:29:25 +0000 Date: Thu, 11 Jan 2007 20:29:25 -0800 From: Colin Percival In-reply-to: <45A70026.2010601@h3q.com> To: Philipp Wuensche Message-id: <45A70EA5.1010402@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <45A70026.2010601@h3q.com> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2007 04:29:54 -0000 Philipp Wuensche wrote: > Colin Percival wrote: >> In the end we opted to reduce functionality (the jail startup process is >> no longer logged to /var/log/console.log inside the jail) > > Thats a bummer, when Dirk showed me this problem the first time my ideas > for fixing this problem without losing the functionality where changing > flags on the file so it can't be removed or/and checking if it is really > a file or a symlink instead. Of course you have to check if /var/log has > symlinked parent directories before. > > First is quite problematic and setting flags on file is something > scripts which create a jail in the first place probably have to bother > with so option two would be my approach. Did I miss a possible problem > with that idea? Assuming that "option two" means "use file flags to make sure that the host can write to the jailed /var/log/console.log securely", setting the sunlnk flag on the jail's /var and /var/log would probably break many jails -- for one thing, log rotation would become impossible. Then there's the problem of systems with chflags_allowed=1... >> (filesystems which are mounted via per-jail >> fstab files should not be mounted on symlinks -- if you do this, adjust your >> fstab files to give the real, non-symlinked, path to the mount point), and > > If I understand the patch correct it checks recursive all parent > directories of a mountpoint in is_symlinked_mountpoint(), wouldn't it be > better to just check for a symlinked parent directory up to and not > including ${_rootdir}? This option never occurred to me; I _think_ it would work, but it would require canonicalizing the jail root path... even if I had thought of this, I might have decided to avoid this on the basis that complexity == bugs == bad for security patches. Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Jan 12 04:24:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 30B7116A407; Fri, 12 Jan 2007 04:24:33 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from mx.isc.org (mx.isc.org [204.152.184.167]) by mx1.freebsd.org (Postfix) with ESMTP id 1920113C44B; Fri, 12 Jan 2007 04:24:33 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTP id 643921140A3; Fri, 12 Jan 2007 03:38:18 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from drugs.dv.isc.org (localhost.isc.org [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (verified OK)) by farside.isc.org (Postfix) with ESMTP id EE879E60BA; Fri, 12 Jan 2007 03:38:17 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.13.8/8.13.8) with ESMTP id l0C3cEXG077286; Fri, 12 Jan 2007 14:38:14 +1100 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200701120338.l0C3cEXG077286@drugs.dv.isc.org> To: Philipp Wuensche From: Mark Andrews In-reply-to: Your message of "Fri, 12 Jan 2007 04:27:34 BST." <45A70026.2010601@h3q.com> Date: Fri, 12 Jan 2007 14:38:14 +1100 Sender: Mark_Andrews@isc.org X-Mailman-Approved-At: Fri, 12 Jan 2007 04:44:14 +0000 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2007 04:24:33 -0000 > I'm not sure I understand that quite correct, where is this problem > appearing? > > Other things: > > tail is used in line 230: tail -r ${_fstab} | while read _device > _mountpt _rest; do > > If the per-jail fstab is larger than 10 lines, which is the default of > tail to show, the remaining mountpoints will not be unmounted? The default for the -r option is to display all of the input. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Sat Jan 13 08:08:47 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AAE3616A403 for ; Sat, 13 Jan 2007 08:08:47 +0000 (UTC) (envelope-from randy@psg.com) Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by mx1.freebsd.org (Postfix) with ESMTP id 9190713C43E for ; Sat, 13 Jan 2007 08:08:47 +0000 (UTC) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=roam.psg.com) by rip.psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from ) id 1H5dll-000MEV-8G for freebsd-security@freebsd.org; Sat, 13 Jan 2007 07:57:41 +0000 Received: from localhost ([127.0.0.1] helo=roam.psg.com) by roam.psg.com with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1H5dlh-0002JM-9G for freebsd-security@freebsd.org; Fri, 12 Jan 2007 21:57:37 -1000 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17832.37104.392873.671721@roam.psg.com> Date: Fri, 12 Jan 2007 21:57:36 -1000 To: freebsd-security@freebsd.org Subject: Permission denied by op X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2007 08:08:47 -0000 i am invoking op from a python proggy which does an op.system() of op chmod 640 /usr/local/etc/tac_plus.conf i get "Permission denied by op" % ls -l /usr/local/etc/op.access -r-------- 1 root wheel 149 Jan 13 07:41 /usr/local/etc/op.access % cat /usr/local/etc/op.access # 2007.01.13 # #DEFAULT users=src # chown /usr/sbin/chown $* ; users=src chmod /bin/chmod $* ; users=src rsync /usr/local/bin/rsync $* ; users=src # % id uid=1007(src) gid=1006(srctree) groups=1006(srctree) clue bat, please randy From owner-freebsd-security@FreeBSD.ORG Sat Jan 13 11:48:47 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5714716A415; Sat, 13 Jan 2007 11:48:47 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id B0E2213C44C; Sat, 13 Jan 2007 11:48:46 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id CF86048804; Sat, 13 Jan 2007 12:30:20 +0100 (CET) Received: from localhost (154.81.datacomsa.pl [195.34.81.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 6C55846DA5; Sat, 13 Jan 2007 12:30:13 +0100 (CET) Date: Sat, 13 Jan 2007 12:29:37 +0100 From: Pawel Jakub Dawidek To: Colin Percival Message-ID: <20070113112937.GI90718@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CD/aTaZybdUisKIc" Content-Disposition: inline In-Reply-To: <45A6DB76.40800@freebsd.org> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2007 11:48:47 -0000 --CD/aTaZybdUisKIc Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote: > Hello Everyone, >=20 > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after app= lying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. >=20 > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail), make an assump= tion > about how systems are configured (filesystems which are mounted via per-j= ail > fstab files should not be mounted on symlinks -- if you do this, adjust y= our > fstab files to give the real, non-symlinked, path to the mount point), and > leave a potential security problem unfixed (if you mount any filesystems = via > per-jail fstab files on mount points which are visible within multiple ja= ils, > there are problems -- don't do this). I don't like the way it was fixed. I do know it wasn't easy to fix. I don't like it because it breaks almost all my current jails, because I often use /jails/ paths in fstabs, which is actually a symlink to /usr/jails/. What I'd like to suggest, which seems much better way to fix the problem is: 1. Apply the patch: http://people.freebsd.org/~pjd/patches/realpath.patch 2. Find full path to jail's root with `realpath $_rootdir`. 3. Take first entry from /etc/fstab., for example we have a mount-point /usr/jails/foo/usr/lib in there. Run `realpath /usr' and compare with $_rootfulldir, if doesn't match, run `realpath /usr/jails` and compare, if doesn't match take next path component until we find a match. When a match is found, what's left out is a mount-point inside a jail, eg. '/usr/lib'. Now, run real=3D`realpath -c $_rootdir /usr/lib`, which will give us full path inside a jail. Then, we need to mount file system on $_rootdir/$real. 4. Repeat 3 for each fstab entry. With this approch one can use symlinks in any mount-point component. The whole complexity in point 3, is because people can have jail's root configured as '/usr/jails/foo', but use '/jails/foo' prefix for mount-points. I'll keep /var/log/console.log outside a jail, because using 'realpath -c' will be dangerous once the jail is running. There could be a race where `realpath -c` returns one path, an attacker inside a jail changes one of resolved path's component and rc.d/jail from outside a jail tries to use it. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --CD/aTaZybdUisKIc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFqMKhForvXbEpPzQRAm0oAJ4gM53DNKRAZLzFzUrYuvO8AU10HQCfTB6R dX0OldbS+GniAd5BKcdaztU= =FV2A -----END PGP SIGNATURE----- --CD/aTaZybdUisKIc-- From owner-freebsd-security@FreeBSD.ORG Sat Jan 13 18:31:08 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B375F16A40F for ; Sat, 13 Jan 2007 18:31:08 +0000 (UTC) (envelope-from randy@psg.com) Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by mx1.freebsd.org (Postfix) with ESMTP id 9C29613C465 for ; Sat, 13 Jan 2007 18:31:08 +0000 (UTC) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=roam.psg.com) by rip.psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from ) id 1H5nel-000CcK-Sb for freebsd-security@freebsd.org; Sat, 13 Jan 2007 18:31:08 +0000 Received: from localhost ([127.0.0.1] helo=roam.psg.com) by roam.psg.com with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1H5nd1-000389-As for freebsd-security@freebsd.org; Sat, 13 Jan 2007 08:29:19 -1000 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17833.9470.515735.802136@roam.psg.com> Date: Sat, 13 Jan 2007 08:29:18 -1000 To: freebsd-security@freebsd.org References: <17832.37104.392873.671721@roam.psg.com> Subject: Re: Permission denied by op X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2007 18:31:08 -0000 > i am invoking op from a python proggy which does an op.system() of > op chmod 640 /usr/local/etc/tac_plus.conf > i get "Permission denied by op" btw, have tested with same invocation directly from /bin/sh. same result. i.e. it is not the python environment. > % ls -l /usr/local/etc/op.access > -r-------- 1 root wheel 149 Jan 13 07:41 /usr/local/etc/op.access > > % cat /usr/local/etc/op.access > # 2007.01.13 > # > #DEFAULT users=src > # > chown /usr/sbin/chown $* ; users=src > chmod /bin/chmod $* ; users=src > rsync /usr/local/bin/rsync $* ; users=src > # > > % id > uid=1007(src) gid=1006(srctree) groups=1006(srctree) > > clue bat, please > > randy