From owner-freebsd-security@FreeBSD.ORG Thu Aug 18 14:48:28 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19E8A16A41F for ; Thu, 18 Aug 2005 14:48:28 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from people.fsn.hu (people.fsn.hu [195.228.252.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id A228743D48 for ; Thu, 18 Aug 2005 14:48:27 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from localhost (localhost [127.0.0.1]) by people.fsn.hu (Postfix) with ESMTP id E4A4F84418 for ; Thu, 18 Aug 2005 16:48:24 +0200 (CEST) Received: from people.fsn.hu ([127.0.0.1]) by localhost (people.fsn.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 01670-03-6 for ; Thu, 18 Aug 2005 16:48:18 +0200 (CEST) Received: from [172.16.129.72] (japan.t-online.co.hu [195.228.243.99]) by people.fsn.hu (Postfix) with ESMTP id 63EBB84408 for ; Thu, 18 Aug 2005 16:48:18 +0200 (CEST) Message-ID: <43049FB2.1030203@fsn.hu> Date: Thu, 18 Aug 2005 16:48:18 +0200 From: Attila Nagy User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050725) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at fsn.hu Cc: Subject: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2005 14:48:28 -0000 Hello, I'm wondering about closing some information leaks in FreeBSD jails from the "outside world". Not that critical (depends on the application), but a simple user, with restricted devfs in the jail (devfsrules_jail for example from /etc/defaults/devfs.rules) can figure out the following: - network interfaces related data, via ifconfig, which contains everything, but the primary IP address of the interfaces. It seems that alias IPs can be viewed: bge0: flags=8843 mtu 1500 options=1a ether 00:12:79:3d:83:c2 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.2 netmask 0xff000000 - the arp table via arp, which does contain the above interface addresses. This can be used for example to detect other machines on the same subnet, which communicate with the host machine. - full dmesg output after boot and the kernel buffer when it overflows (can contain sensitive information) - information about geom providers (at least geom mirror list works) - the list of the loaded kernel modules via kldstat - some interesting information about the network related stuff via netstat - information about configured swap space via swapinfo - NFS related statistics via nfsstat - a lot of interesting stuff via sysctl and maybe more, I can't think of currently. Are there any ways to close (some of) these? Thanks, -- Attila Nagy e-mail: Attila.Nagy@fsn.hu Adopt a directory on our free software phone @work: +361 371 3536 server! http://www.fsn.hu/?f=brick cell.: +3630 306 6758