From owner-freebsd-security@FreeBSD.ORG Mon Jan 15 21:09:07 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4219C16A4D4 for ; Mon, 15 Jan 2007 21:09:07 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id BC52B13C45A for ; Mon, 15 Jan 2007 21:09:06 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id C1FAB487F3; Mon, 15 Jan 2007 22:09:04 +0100 (CET) Received: from localhost (154.81.datacomsa.pl [195.34.81.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 36BE646DA5; Mon, 15 Jan 2007 22:09:00 +0100 (CET) Date: Mon, 15 Jan 2007 22:08:26 +0100 From: Pawel Jakub Dawidek To: Dirk Engling Message-ID: <20070115210826.GA2839@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline In-Reply-To: <45ABDC7C.6060407@erdgeist.org> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jan 2007 21:09:07 -0000 --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 15, 2007 at 08:56:44PM +0100, Dirk Engling wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Pawel Jakub Dawidek wrote: >=20 > > I'll keep /var/log/console.log outside a jail, because using > > 'realpath -c' will be dangerous once the jail is running. There could be > > a race where `realpath -c` returns one path, an attacker inside a jail > > changes one of resolved path's component and rc.d/jail from outside a > > jail tries to use it. >=20 > A simple way to prevent race conditions (here an example to mount devfs > into jails) is: >=20 > cd ${jail_root} > j_root=3D`pwd` > cd ${jail_dev_dir} > j_dev=3D`pwd` > eval evil_doer=3D\$\{j_dev#${j_root}\} > [ "$evil_doer" =3D "$j_dev" ] && exit > mount_devfs devfs . # ls -l /jails lrwxr-x--- 1 root wheel 9 15 sty 21:58 /jails -> usr/jails # jail_root=3D"/usr/jails" # jail_dev_dir=3D"/jails/dev" # cd ${jail_root} # j_root=3D`pwd` # echo $j_root /usr/jails # cd ${jail_dev_dir} # j_dev=3D`pwd` # echo $j_dev /jails/dev # eval evil_doer=3D\$\{j_dev#${j_root}\} # echo $evil_doer /jails/dev # [ "$evil_doer" =3D "$j_dev" ] && echo "false positive" false positive In other words, it may break existing configurations. > To do the same with console.log (I _really_ like this feature and would > want it re-enabled asap) you can use something like: >=20 > cd ${jail_root} > j_root=3D`pwd` > cd ${jail_var_log_dir} > j_var_log=3D`pwd` > eval evil_doer=3D\$\{j_var_log#${j_root}\} > [ "$evil_doer" =3D "$j_var_log" ] && exit --> Race <-- > cp -f ${temp_log} console.log --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFq+1KForvXbEpPzQRAvBQAKDKPf9UMqlZduQJV77Ht1UjJmltIACeJcap z/+nWkDBY6Yp2yNSYhtNQTU= =RTyD -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd--