From owner-freebsd-security@FreeBSD.ORG Sat Jan 20 14:05:47 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4838F16A40A for ; Sat, 20 Jan 2007 14:05:47 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [80.237.196.4]) by mx1.freebsd.org (Postfix) with ESMTP id 35D5E13C45B for ; Sat, 20 Jan 2007 14:05:46 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: (qmail 40635 invoked by uid 0); 20 Jan 2007 14:05:11 -0000 Received: from e179007141.adsl.alicedsl.de (HELO ?10.1.1.102?) (erdgeist@erdgeist.org@85.179.7.141) by elektropost.org with AES256-SHA encrypted SMTP; 20 Jan 2007 14:05:11 -0000 Message-ID: <45B221B3.9090403@erdgeist.org> Date: Sat, 20 Jan 2007 15:05:39 +0100 From: Dirk Engling User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> In-Reply-To: <20070120130308.GD6697@garage.freebsd.pl> X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival , "Simon L. Nielsen" Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jan 2007 14:05:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pawel Jakub Dawidek wrote: > When -J operates on a file inside a jail, it create the same security > hole as the one from security advisory, because it opens a file before > calling jail(2). > I fully agree that console.log should be outside a jail. At least noone > proposed safe solution so far, which also means it's not an easy fix. I still suggest using "pwd -P" to get the real path and using the shell's CWD as a lock. That works safely with mount(8) at least. Comments? erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFsiGzImmQdUyYEgkRAlKcAJ4izD1J4x6jDDfvrtr5J+bcmSxK/ACfRpwn x5yVH4uJIN7CWEgYtATKDE0= =sQq3 -----END PGP SIGNATURE-----