Date: Sat, 03 Jul 2010 08:07:15 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Aiza <aiza21@comclark.com> Cc: "questions@freebsd.org" <questions@freebsd.org> Subject: Re: jail and uname Message-ID: <4C2EE1A3.6020803@infracaninophile.co.uk> In-Reply-To: <4C2ED4F9.2010408@comclark.com> References: <4C2ED4F9.2010408@comclark.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/07/2010 07:13:13, Aiza wrote: > From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, > which is the release level of the host. I know the jail is running a > pristine minimum install of 8.0-RELEASE. The uname information is compiled into the kernel -- so all jails will show the information relevant to the host system. The problem arises when a security patch applies to userland, and not the kernel, as updating the host system does not necessarily mean the update has been applied to the jails. > I would think issuing uname from within a jail environment should > respond with the info of the jail environment. Is this not a security > violation? It can result in security problems, yes. The real problem there is an incorrect approach to applying security updates to jailed systems. Even so, not having a reliable means of telling per-jail that patches have or have not been applied is a flaw. Whether you can do this within the POSIX specification for uname without adversely affecting backwards compatibility is a good question (http://www.opengroup.org/onlinepubs/009695399/utilities/uname.html). Perhaps a simple solution would be to compile a constant string value showing system version and patch level into libc.so and have a small utility to print that data out. Since this is independent of the kernel, it should fulfill the requirements, but it does mean that *every* system update requires a new libc.so and hence a restart of all running processes to apply fully. While I'm here -- why doesn't FreeBSD use a simple version number like 7.3.4 rather than saying 7.3-RELEASE-p4? I realize that historically there have been point releases like 5.2.1-RELEASE but the whole Security/Errata branch concept was developed partly in response to such things, and the whole release engineering process is done differently now. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwu4aMACgkQ8Mjk52CukIzd2wCfQSLaRz+G5FK62+DQ0ZT4gXA0 gAQAn0eu7SY28lrfElvlwVWtRieiWk5W =PuxL -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C2EE1A3.6020803>