From owner-freebsd-security@FreeBSD.ORG  Thu Mar 20 12:36:49 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 43CC87D;
 Thu, 20 Mar 2014 12:36:49 +0000 (UTC)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 008B0DE8;
 Thu, 20 Mar 2014 12:36:48 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id A9DE66E3B;
 Thu, 20 Mar 2014 12:36:47 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 2BB23C79; Thu, 20 Mar 2014 13:36:40 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: d@delphij.net
Subject: Re: misc/187307: Security vulnerability with FreeBSD Jail
References: <201403052307.s25N7NoD045308@cgiserv.freebsd.org>
 <5317B597.5050900@delphij.net>
Date: Thu, 20 Mar 2014 13:36:40 +0100
In-Reply-To: <5317B597.5050900@delphij.net> (Xin Li's message of "Wed, 05 Mar
 2014 15:39:03 -0800")
Message-ID: <86fvmdrqqv.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>,
 freebsd-gnats-submit@FreeBSD.org, "secteam@FreeBSD.org" <secteam@FreeBSD.org>,
 jamie@FreeBSD.org, Nicola Galante <galante@veritas.sao.arizona.edu>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 12:36:49 -0000

Xin Li <delphij@delphij.net> writes:
> a) you have account on *both* jail and host system.
> b) you attempted to log in into jail's IP, which is also bound to host
> system;
> c) your configuration didn't explicitly specify SSH's listening
> address on host, so it's a wildcard (Listen 22 instead of Listen
> hostip:22, where you can see in sockstat -4l as *:22 for sshd).
> d) when jail is shut down, when you connect to the jail's IP, you
> connected into the host.

I would like to point out that if you follow the documented procedure
for configuring and managing jails, the jail's IP goes away when the
jail shuts down.  This has been the case since at least 8.x using the
old-style rc.conf variables (jail_foo_interface, jail_foo_ip), and it is
still the case in 10.0 using the new-style jail.conf.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no