Site Navigation

Date:      Tue, 11 Sep 2018 18:55:56 -0400
From:      Shawn Webb <shawn.webb@hardenedbsd.org>
To:        "Michael W. Lucas" <mwlucas@michaelwlucas.com>
Cc:        current@freebsd.org
Subject:   Re: jail exec.clean busted in 12?
Message-ID:  <20180911225556.4koxpwp7u2e4jvyu@mutt-hbsd>
In-Reply-To: <20180911195802.GA77575@mail.michaelwlucas.com>
References:  <20180911195802.GA77575@mail.michaelwlucas.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
On Tue, Sep 11, 2018 at 03:58:02PM -0400, Michael W. Lucas wrote:
> 
> Hi,
> 
> storm~;uname -a
> FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep  6 12:29:00 EDT 2018     root@storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64
> 
> It appears that exec.clean is busted. Here's my jail.conf:
> 
> ---
> 
> $j="/jail";
> path="$j/$name";
> host.hostname="$name.mwl.io";
> 
> mount.devfs;
> exec.clean=0;
> exec.start="sh /etc/rc";
> exec.stop="sh /etc/rc.shutdown";
> 
> loghost {
>   ip4.addr="203.0.113.231";
>   allow.raw_sockets=1;
>   jid=99;
> }
> 
> logdb {
>   host.hostname="logdb.mwl.io";
>   ip4.addr="203.0.113.232";
>   }
> 
> ---
> 
> exec.clean is not explicitly defined on the command line, but it's the
> default, so it maybe shouldn't be?
> 
> storm~;jls -n
> devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable jid=8 linux=new name=logdb osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 path=/jail/logdb nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.noraw_sockets allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=6 host.domainname="" host.hostid=0 host.hostname=logdb.mwl.io host.hostuuid=00000000-0000-0000-0000-000000000000 ip4.addr=203.0.113.232 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144
> devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable jid=99 linux=new name=loghost osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 path=/jail/loghost nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=7 host.domainname="" host.hostid=0 host.hostname=loghost.mwl.io host.hostuuid=00000000-0000-0000-0000-000000000000 ip4.addr=203.0.113.231 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144
> 
> Anyway, I found this by:
> 
> # jexec loghost env
> HOME=/home/mwlucas
> PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/mwlucas/bin
> TERM=xterm
> LC_COLLATE=C
> LANG=en_US.UTF-8
> SSH_CLIENT=203.0.113.70 59076 22
> SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
> SSH_TTY=/dev/pts/2
> SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
> LC_CTYPE=en_US.ISO-8859-1
> MAIL=/var/mail/root
> ...
> 
> I'm highly confident my SSH environment shouldn't be in the jail. Yes,
> it goes away if I add -l, but my (admittedly sketchy) reading of the
> jexec source says that jexec handles stripping the environment before
> running the command.
> 
> Even if I start it the hard way (from a discussion at
> https://github.com/iocage/iocage/issues/610)
> 
> storm~;jail -c path=/jail/loghost/ host.hostname=loghost exec.clean=1 persist
> storm~;jls
>    JID  IP Address      Hostname                      Path
>      9                  loghost                       /jail/loghost
>      
> storm~;jexec 9 env | grep -i ssh
> SSH_CLIENT=203.0.113.70 59076 22
> SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
> SSH_TTY=/dev/pts/2
> SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
> storm~;
> 
> Any ideas?

Hey Michael,

It appears the jail.exec option is for jail(8) only. You need to pass
the -l option to jexec(8) to sanitize the environment.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera@is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAluYR/cACgkQaoRlj1JF
bu5Geg/9GK9mLxQHZv/C7uL00sokOL1sFIEvqkWiDLdigDn3I0LzYAorMVSmfvqn
uAr00sKV0IZzXVhhoPbSKQrbvDSJXzdXdj7pH+OFj6VFL9nL0R9MxTRlQ8UsSh0O
beTdQ6klTcGV8d1C56A35pW5CI+EvMqJX4FubSRspacIHi1E+4De+jGV5IG/hYnj
uWXxxEORktZ7OtZwS64JXlZJ35AArIivJwMjrdQRx5z/K7PL5pC6Ck+FWr/s9u5P
4OXzn3pXw3DmUSBaUw/VgX0ZT2oyvb/NOYOcVJNn7bIBCBX5PI8Neiw/gRwiKqf2
XH5l2WyAAdQGHUcy1UYJ7BN5oC8D78O3e6ca3SKieQjjg9nCnwSCgxfnEqrj14P3
LRX6jatHc2AAQDdZocELYnKU31sn34JUAkQLnTtBRnWIHUlQ8EbtHwQI0Oy+fB9r
NL+phOjVnSfwOB2YgURAOW01E5Dd9qAb0MwBUIwOSCeNT9HzFwkmw1ZnyISD5Wm1
YFdlsVmMdQTEwuF+LHU+ZU/iDHlFsuOktQQs6A7/Q4IlVn4hBq2lCQ9b9KxVXvUm
dPxc5WmIsNZbaYiHoOlQJFrmicRGMKFDx70AFQzlrkK3VlVKbVqqtWW+CfdwcuUK
Hum1/4Bh/RSd3ogbueKUCBVDEZCTIL51uzmMEig9KhfWdMtRh1Q=
=5wtD
-----END PGP SIGNATURE-----

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180911225556.4koxpwp7u2e4jvyu>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact