Date: Tue, 23 Jan 2007 13:42:48 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org, Colin Percival <cperciva@FreeBSD.org>, "Simon L. Nielsen" <simon@FreeBSD.org> Subject: Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail] Message-ID: <20070123124247.GC11767@garage.freebsd.pl> In-Reply-To: <20070123132508.oy4elyx7kkogokkg@webmail.leidinger.net> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <20070120122432.GA971@zaphod.nitro.dk> <20070120130308.GD6697@garage.freebsd.pl> <20070120152423.3195b15b@Magellan.Leidinger.net> <20070123113444.GB11767@garage.freebsd.pl> <20070123132508.oy4elyx7kkogokkg@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--ZwgA9U+XZDXt4+m+ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 23, 2007 at 01:25:08PM +0100, Alexander Leidinger wrote: > Quoting Pawel Jakub Dawidek <pjd@FreeBSD.org> (from Tue, 23 Jan 2007 12:3= 4:44 +0100): > >It looks like it may work, but I still find it a bit risky. If sh(1) can > >reopen the file under some conditions or someone in the future will > >modify sh(1) in that way (because he won't be aware that such a change > >may have impact on system security) we will have a security hole. > >Chances are small, but I'm not going to be the one who will accept that > >change:) >=20 > The spawned subshell is like a command. It doesn't make sense to reopen t= he file for a command. It's like saying we open and close the file for each= line. I didn't=20 > calculated the probability of this to happen, but I would be very surpris= ed if it is significant. Just think about the performance of such behavior = (or a more complex logic=20 > [...] And if you think about such unlikely stuff to happen, you should al= so think about some other stuff we are not prepared to=20 > survive. [...] Come on, this argument always stands. I only wanted to point out that we should be extra careful with building security on top of tools that are not intended for this purpose. > [...] But feel free to propose a better solution for the problem. The solution was proposed already - keep console.log outside of jail. Don't read my comment as a "no" vote for your solution. If secteam@ decide there is nothing to be worry about - fine by me. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --ZwgA9U+XZDXt4+m+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFtgLHForvXbEpPzQRAnjAAJ9ueKbsFjJFL0MTvyM7I7zDpXo3PgCeJY9t /DVf7IrfkNtREpzBhkLsXEY= =ndf4 -----END PGP SIGNATURE----- --ZwgA9U+XZDXt4+m+--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070123124247.GC11767>