Date: Tue, 23 Jan 2007 13:25:08 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org, Colin Percival <cperciva@FreeBSD.org>, "Simon L. Nielsen" <simon@FreeBSD.org> Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] Message-ID: <20070123132508.oy4elyx7kkogokkg@webmail.leidinger.net> In-Reply-To: <20070123113444.GB11767@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> <20070120152423.3195b15b@Magellan.Leidinger.net> <20070123113444.GB11767@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Pawel Jakub Dawidek <pjd@FreeBSD.org> (from Tue, 23 Jan 2007 =20
12:34:44 +0100):
> On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote:
>> Quoting Pawel Jakub Dawidek <pjd@FreeBSD.org> (Sat, 20 Jan 2007 =20
>> 14:03:08 +0100):
>>
>> > I fully agree that console.log should be outside a jail. At least noone
>> > proposed safe solution so far, which also means it's not an easy fix.
>>
>> What's unsafe about my proposal? I did had a look at the code now, and
>> it should work (with minor mods).
>>
>> Original:
>> ---snip---
>> _tmp_jail=3D${_tmp_dir}/jail.$$
>> eval jail ${_flags} -i ${_rootdir} ${_hostname} \
>> ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1
>>
>> if [ "$?" -eq 0 ] ; then
>> _jail_id=3D$(head -1 ${_tmp_jail})
>> i=3D1
>> while [ true ]; do
>> eval out=3D\"\${_exec_afterstart${i}:-''}=
\"
>>
>> if [ -z "$out" ]; then
>> break;
>> fi
>>
>> jexec "${_jail_id}" ${out}
>> i=3D$((i + 1))
>> done
>>
>> echo -n " $_hostname"
>> tail +2 ${_tmp_jail} >${_consolelog}
>> echo ${_jail_id} > /var/run/jail_${_jail}.id
>> ---snip---
>>
>> Pseudocode proposal, not tested (changes prefixed with 'x'):
>> ---snip---
>> _tmp_jail=3D${_tmp_dir}/jail.$$
>> x # assuming safe _consolelog (inside chroot) according
>> to the
>> x # previous mails here in the thread
>> x=09=09eval (echo "" ; \
>> x jail ${_flags} -I /var/run/jail_${_jail}.id \
>> x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
>> x > ${_consolelog} 2>&1
>>
>> if [ "$?" -eq 0 ] ; then
>> x _jail_id=3D$(cat /var/run/jail_${_jail}.id)
>> i=3D1
>> while [ true ]; do
>> eval out=3D\"\${_exec_afterstart${i}:-''}=
\"
>>
>> if [ -z "$out" ]; then
>> break;
>> fi
>>
>> jexec "${_jail_id}" ${out}
>> i=3D$((i + 1))
>> done
>>
>> echo -n " $_hostname"
>> x
>> x
>> ---snip---
>>
>> Repeating my points:
>> - sanitize the consolelog path like discussed in this thread
>> - the jail is not running, so nobody can create a link (jail
>> root within FS space of another jail still prohibited)
>> - subshell to group echo and jail
>> - 'echo ""' to make sure the file exists when the jail starts
>> - (new) additional flag to jail to write a jid file
>> - redirect to the consolelog, it is still open from the echo
>> when the jail starts so there's no race
>>
>> I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it
>> is line buffered, so the above works.
>>
>> Where's the security problem in the above?
>
> It looks like it may work, but I still find it a bit risky. If sh(1) can
> reopen the file under some conditions or someone in the future will
> modify sh(1) in that way (because he won't be aware that such a change
> may have impact on system security) we will have a security hole.
> Chances are small, but I'm not going to be the one who will accept that
> change:)
The spawned subshell is like a command. It doesn't make sense to =20
reopen the file for a command. It's like saying we open and close the =20
file for each line. I didn't calculated the probability of this to =20
happen, but I would be very surprised if it is significant. Just think =20
about the performance of such behavior (or a more complex logic which =20
open()/close()es in a more complex way). And if you think about such =20
unlikely stuff to happen, you should also think about some other stuff =20
we are not prepared to survive. But feel free to propose a better =20
solution for the problem.
Bye,
Alexander.
--=20
In Newark the laundromats are open 24 hours a day!
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070123132508.oy4elyx7kkogokkg>