Date: Tue, 23 Jan 2007 12:34:44 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org, Colin Percival <cperciva@freebsd.org>, "Simon L. Nielsen" <simon@FreeBSD.org> Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] Message-ID: <20070123113444.GB11767@garage.freebsd.pl> In-Reply-To: <20070120152423.3195b15b@Magellan.Leidinger.net> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> <20070120152423.3195b15b@Magellan.Leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote:
> Quoting Pawel Jakub Dawidek <pjd@FreeBSD.org> (Sat, 20 Jan 2007 14:03:08 +0100):
>
> > I fully agree that console.log should be outside a jail. At least noone
> > proposed safe solution so far, which also means it's not an easy fix.
>
> What's unsafe about my proposal? I did had a look at the code now, and
> it should work (with minor mods).
>
> Original:
> ---snip---
> _tmp_jail=${_tmp_dir}/jail.$$
> eval jail ${_flags} -i ${_rootdir} ${_hostname} \
> ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1
>
> if [ "$?" -eq 0 ] ; then
> _jail_id=$(head -1 ${_tmp_jail})
> i=1
> while [ true ]; do
> eval out=\"\${_exec_afterstart${i}:-''}\"
>
> if [ -z "$out" ]; then
> break;
> fi
>
> jexec "${_jail_id}" ${out}
> i=$((i + 1))
> done
>
> echo -n " $_hostname"
> tail +2 ${_tmp_jail} >${_consolelog}
> echo ${_jail_id} > /var/run/jail_${_jail}.id
> ---snip---
>
> Pseudocode proposal, not tested (changes prefixed with 'x'):
> ---snip---
> _tmp_jail=${_tmp_dir}/jail.$$
> x # assuming safe _consolelog (inside chroot) according
> to the
> x # previous mails here in the thread
> x eval (echo "" ; \
> x jail ${_flags} -I /var/run/jail_${_jail}.id \
> x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
> x > ${_consolelog} 2>&1
>
> if [ "$?" -eq 0 ] ; then
> x _jail_id=$(cat /var/run/jail_${_jail}.id)
> i=1
> while [ true ]; do
> eval out=\"\${_exec_afterstart${i}:-''}\"
>
> if [ -z "$out" ]; then
> break;
> fi
>
> jexec "${_jail_id}" ${out}
> i=$((i + 1))
> done
>
> echo -n " $_hostname"
> x
> x
> ---snip---
>
> Repeating my points:
> - sanitize the consolelog path like discussed in this thread
> - the jail is not running, so nobody can create a link (jail
> root within FS space of another jail still prohibited)
> - subshell to group echo and jail
> - 'echo ""' to make sure the file exists when the jail starts
> - (new) additional flag to jail to write a jid file
> - redirect to the consolelog, it is still open from the echo
> when the jail starts so there's no race
>
> I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it
> is line buffered, so the above works.
>
> Where's the security problem in the above?
It looks like it may work, but I still find it a bit risky. If sh(1) can
reopen the file under some conditions or someone in the future will
modify sh(1) in that way (because he won't be aware that such a change
may have impact on system security) we will have a security hole.
Chances are small, but I'm not going to be the one who will accept that
change:)
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd@FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQFFtfLUForvXbEpPzQRAoo1AJ9Q/u5YAPeHsQiOUBCEEOR8BzKuoACbBnQH
g1ixkeanvC5aURwI48b/TW4=
=TDkY
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070123113444.GB11767>