Date: Tue, 11 Sep 2018 18:55:56 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: "Michael W. Lucas" <mwlucas@michaelwlucas.com> Cc: current@freebsd.org Subject: Re: jail exec.clean busted in 12? Message-ID: <20180911225556.4koxpwp7u2e4jvyu@mutt-hbsd> In-Reply-To: <20180911195802.GA77575@mail.michaelwlucas.com> References: <20180911195802.GA77575@mail.michaelwlucas.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--xpbbum7cp4unlcji
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Sep 11, 2018 at 03:58:02PM -0400, Michael W. Lucas wrote:
>=20
> Hi,
>=20
> storm~;uname -a
> FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep 6 12:=
29:00 EDT 2018 root@storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd=
64
>=20
> It appears that exec.clean is busted. Here's my jail.conf:
>=20
> ---
>=20
> $j=3D"/jail";
> path=3D"$j/$name";
> host.hostname=3D"$name.mwl.io";
>=20
> mount.devfs;
> exec.clean=3D0;
> exec.start=3D"sh /etc/rc";
> exec.stop=3D"sh /etc/rc.shutdown";
>=20
> loghost {
> ip4.addr=3D"203.0.113.231";
> allow.raw_sockets=3D1;
> jid=3D99;
> }
>=20
> logdb {
> host.hostname=3D"logdb.mwl.io";
> ip4.addr=3D"203.0.113.232";
> }
>=20
> ---
>=20
> exec.clean is not explicitly defined on the command line, but it's the
> default, so it maybe shouldn't be?
>=20
> storm~;jls -n
> devfs_ruleset=3D0 nodying enforce_statfs=3D2 host=3Dnew ip4=3Ddisable ip6=
=3Ddisable jid=3D8 linux=3Dnew name=3Dlogdb osreldate=3D1200084 osrelease=
=3D12.0-ALPHA4 parent=3D0 path=3D/jail/logdb nopersist securelevel=3D-1 sys=
vmsg=3Ddisable sysvsem=3Ddisable sysvshm=3Ddisable vnet=3Dinherit allow.noc=
hflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofdescf=
s allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allow.m=
ount.notmpfs allow.mount.nozfs allow.noquotas allow.noraw_sockets allow.res=
erved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.c=
ur=3D0 children.max=3D0 cpuset.id=3D6 host.domainname=3D"" host.hostid=3D0 =
host.hostname=3Dlogdb.mwl.io host.hostuuid=3D00000000-0000-0000-0000-000000=
000000 ip4.addr=3D203.0.113.232 ip4.saddrsel ip6.addr=3D ip6.saddrsel linux=
=2Eosname=3DLinux linux.osrelease=3D2.6.32 linux.oss_version=3D198144
> devfs_ruleset=3D0 nodying enforce_statfs=3D2 host=3Dnew ip4=3Ddisable ip6=
=3Ddisable jid=3D99 linux=3Dnew name=3Dloghost osreldate=3D1200084 osreleas=
e=3D12.0-ALPHA4 parent=3D0 path=3D/jail/loghost nopersist securelevel=3D-1 =
sysvmsg=3Ddisable sysvsem=3Ddisable sysvshm=3Ddisable vnet=3Dinherit allow.=
nochflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofde=
scfs allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allo=
w.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets allow.re=
served_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.=
cur=3D0 children.max=3D0 cpuset.id=3D7 host.domainname=3D"" host.hostid=3D0=
host.hostname=3Dloghost.mwl.io host.hostuuid=3D00000000-0000-0000-0000-000=
000000000 ip4.addr=3D203.0.113.231 ip4.saddrsel ip6.addr=3D ip6.saddrsel li=
nux.osname=3DLinux linux.osrelease=3D2.6.32 linux.oss_version=3D198144
>=20
> Anyway, I found this by:
>=20
> # jexec loghost env
> HOME=3D/home/mwlucas
> PATH=3D/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home=
/mwlucas/bin
> TERM=3Dxterm
> LC_COLLATE=3DC
> LANG=3Den_US.UTF-8
> SSH_CLIENT=3D203.0.113.70 59076 22
> SSH_CONNECTION=3D203.0.113.70 59076 203.0.113.50 22
> SSH_TTY=3D/dev/pts/2
> SSH_AUTH_SOCK=3D/tmp/ssh-ZfvZOatcsu/agent.60492
> LC_CTYPE=3Den_US.ISO-8859-1
> MAIL=3D/var/mail/root
> ...
>=20
> I'm highly confident my SSH environment shouldn't be in the jail. Yes,
> it goes away if I add -l, but my (admittedly sketchy) reading of the
> jexec source says that jexec handles stripping the environment before
> running the command.
>=20
> Even if I start it the hard way (from a discussion at
> https://github.com/iocage/iocage/issues/610)
>=20
> storm~;jail -c path=3D/jail/loghost/ host.hostname=3Dloghost exec.clean=
=3D1 persist
> storm~;jls
> JID IP Address Hostname Path
> 9 loghost /jail/loghost
> =20
> storm~;jexec 9 env | grep -i ssh
> SSH_CLIENT=3D203.0.113.70 59076 22
> SSH_CONNECTION=3D203.0.113.70 59076 203.0.113.50 22
> SSH_TTY=3D/dev/pts/2
> SSH_AUTH_SOCK=3D/tmp/ssh-ZfvZOatcsu/agent.60492
> storm~;
>=20
> Any ideas?
Hey Michael,
It appears the jail.exec option is for jail(8) only. You need to pass
the -l option to jexec(8) to sanitize the environment.
Thanks,
--=20
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
Tor-ified Signal: +1 443-546-8752
Tor+XMPP+OTR: lattera@is.a.hacker.sx
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
--xpbbum7cp4unlcji
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAluYR/cACgkQaoRlj1JF
bu5Geg/9GK9mLxQHZv/C7uL00sokOL1sFIEvqkWiDLdigDn3I0LzYAorMVSmfvqn
uAr00sKV0IZzXVhhoPbSKQrbvDSJXzdXdj7pH+OFj6VFL9nL0R9MxTRlQ8UsSh0O
beTdQ6klTcGV8d1C56A35pW5CI+EvMqJX4FubSRspacIHi1E+4De+jGV5IG/hYnj
uWXxxEORktZ7OtZwS64JXlZJ35AArIivJwMjrdQRx5z/K7PL5pC6Ck+FWr/s9u5P
4OXzn3pXw3DmUSBaUw/VgX0ZT2oyvb/NOYOcVJNn7bIBCBX5PI8Neiw/gRwiKqf2
XH5l2WyAAdQGHUcy1UYJ7BN5oC8D78O3e6ca3SKieQjjg9nCnwSCgxfnEqrj14P3
LRX6jatHc2AAQDdZocELYnKU31sn34JUAkQLnTtBRnWIHUlQ8EbtHwQI0Oy+fB9r
NL+phOjVnSfwOB2YgURAOW01E5Dd9qAb0MwBUIwOSCeNT9HzFwkmw1ZnyISD5Wm1
YFdlsVmMdQTEwuF+LHU+ZU/iDHlFsuOktQQs6A7/Q4IlVn4hBq2lCQ9b9KxVXvUm
dPxc5WmIsNZbaYiHoOlQJFrmicRGMKFDx70AFQzlrkK3VlVKbVqqtWW+CfdwcuUK
Hum1/4Bh/RSd3ogbueKUCBVDEZCTIL51uzmMEig9KhfWdMtRh1Q=
=5wtD
-----END PGP SIGNATURE-----
--xpbbum7cp4unlcji--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180911225556.4koxpwp7u2e4jvyu>