From owner-freebsd-security@FreeBSD.ORG Fri Aug 17 05:39:43 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA50F16A41B for ; Fri, 17 Aug 2007 05:39:43 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.238]) by mx1.freebsd.org (Postfix) with ESMTP id 7616F13C461 for ; Fri, 17 Aug 2007 05:39:43 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: by wr-out-0506.google.com with SMTP id 70so317285wra for ; Thu, 16 Aug 2007 22:39:42 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=RyGXNSleeuy1gwpecuo0GyCbCzq+4J6TUHGfl4ZbeINRxEUxbaXuZvvHcuqxHglbzJZkcpwGPdsiBHoL4/65iIX2eykAJM7dpXrkNiuHVK277kn7ZbO1m2qcZ7aW7Pw8Kz/06YMjphKzeg+TiDbeNiPyA16aI8YBFTzlRxoymDQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=k7duubxtK0Nbh/nnilwdvLI6iaP3eieefglt0SE74BlBQPmiKGNmGRo+S1KRl7tXNUlWMLbCqp0MzmYlpqjrVIyTbnpRmlNXwLzBmXwlCg4bj8HcpkHUTdkBJ0BejWfcHpCSav6H0BbLtk08DhU3ieImYVOqhpLdl9HC0A2spj8= Received: by 10.90.104.14 with SMTP id b14mr3834851agc.1187327439897; Thu, 16 Aug 2007 22:10:39 -0700 (PDT) Received: by 10.90.51.1 with HTTP; Thu, 16 Aug 2007 22:10:39 -0700 (PDT) Message-ID: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> Date: Fri, 17 Aug 2007 06:10:39 +0100 From: "mal content" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Jailed X applications X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 05:39:43 -0000 Hello. Has anyone here ever successfully set up a jail for X apps, connecting to an external X server? I'm trying an experimental sandbox setup here. I have a jail running on an aliased IP on my local machine and X programs connect out of the jail to my local X server via an SSH tunneled TCP connection. All other packets to and from the jail are denied by the packet filter. The trouble I am having is that many applications (all X apps so far and a few of the SSH tools) try to open and read from /dev/tty, which clearly isn't going to happen: 96950 xterm RET sigprocmask 0 96950 xterm CALL open(0x807bdfc,0x2,0xbfbfe458) 96950 xterm NAMI "/dev/tty" 96950 xterm RET open -1 errno 16 Device busy 96950 xterm CALL setitimer(0,0xbfbfe380,0xbfbfe370) 96950 xterm RET setitimer 0 96950 xterm CALL sigaction(0xe,0xbfbfe360,0xbfbfe340) 96950 xterm RET sigaction 0 96950 xterm CALL write(0x2,0xbfbfdd70,0x1b) 96950 xterm GIO fd 2 wrote 27 bytes "xterm: Error 14, errno 16: " 96950 xterm RET write 27/0x1b 96950 xterm CALL write(0x2,0xbfbfdd80,0xc) 96950 xterm GIO fd 2 wrote 12 bytes "Device busy " 96950 xterm RET write 12/0xc 96950 xterm CALL write(0x2,0xbfbfdd80,0x29) 96950 xterm GIO fd 2 wrote 41 bytes "Reason: spawn: open() failed on /dev/tty " 96950 xterm RET write 41/0x29 96950 xterm CALL close(0) 96950 xterm RET close 0 96950 xterm CALL chown(0x808f000,0,0) I am seeing successful connections from the jail to my X server, a white window is drawn where the X client will be spawned but this flashes out of existence as soon as the above error is encountered. I'd love a TrustedBSD based sandboxing tool. Any ideas would be appreciated. MC From owner-freebsd-security@FreeBSD.ORG Fri Aug 17 08:26:34 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05DEB16A417 for ; Fri, 17 Aug 2007 08:26:34 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id B641413C458 for ; Fri, 17 Aug 2007 08:26:33 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54EAF.dip.t-dialin.net [84.165.78.175]) by redbull.bpaserver.net (Postfix) with ESMTP id D936F2E10F; Fri, 17 Aug 2007 10:07:49 +0200 (CEST) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id CF7425B4D80; Fri, 17 Aug 2007 10:07:36 +0200 (CEST) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l7H87arC032767; Fri, 17 Aug 2007 10:07:36 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Fri, 17 Aug 2007 10:07:36 +0200 Message-ID: <20070817100736.8291zwehpcgc4444@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Fri, 17 Aug 2007 10:07:36 +0200 From: Alexander Leidinger To: mal content References: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> In-Reply-To: <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-12.823, required 8, BAYES_00 -15.00, BR_SPAMMER_URI 2.00, RDNS_DYNAMIC 0.10, TW_EV 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Fri, 17 Aug 2007 11:23:31 +0000 Cc: freebsd-security@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Jailed X applications X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 08:26:34 -0000 Quoting mal content (from Fri, 17 Aug =20 2007 06:10:39 +0100): This is better suited for freebsd-jail@ (CCed), please remove =20 freebsd-security@ on reply to move the discussion there. > Has anyone here ever successfully set up a jail for X apps, connecting > to an external X server? I'm trying an experimental sandbox setup here. I have my X server itself in a jail (needs a kernel patch and some =20 devfs rules), and in the past connected to a jail and started a X11 =20 programm there... IIRC. > I have a jail running on an aliased IP on my local machine and X > programs connect out of the jail to my local X server via an SSH > tunneled TCP connection. All other packets to and from the jail are > denied by the packet filter. The trouble I am having is that many > applications (all X apps so far and a few of the SSH tools) try to open > and read from /dev/tty, which clearly isn't going to happen: ssh uses a tty (pty?), but normally you have some in a jail. How do =20 you start the jail? There should be devfs mounted in the jail. Bye, Alexander. --=20 "How do I love thee? My accumulator overflows." http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137