From owner-freebsd-security@FreeBSD.ORG Thu Mar 6 14:10:34 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DB056F70; Thu, 6 Mar 2014 14:10:34 +0000 (UTC) Received: from mail-ve0-x229.google.com (mail-ve0-x229.google.com [IPv6:2607:f8b0:400c:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 57C1B90A; Thu, 6 Mar 2014 14:10:34 +0000 (UTC) Received: by mail-ve0-f169.google.com with SMTP id pa12so2733767veb.0 for ; Thu, 06 Mar 2014 06:10:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hz5cmZvmzfao2z0+wTHX5Dt7emLw8uKWQCNppYeRAio=; b=crqggKBn7pJCnJu2pOfesQCEYFf86kNyMtR08sA3SUTB+7FOu5k1tpaAS06NFNLILg gPIk4FL34oIpNspeIjYytn5aB5x/lnMy9E/a7QbGJp493yA/G/CeHWq1be0nJcCVD1FL kNyA7oi/lDUqAW2et/WkINxpHyF8uQgsjO/XARNKF96UfKqNmr3qe5IygssqTFhVrbIA JXlh6zlOccioMxK7K4rWpL5y18n3ZdX0pwK+xuS2tf1jPh7eP/1QlVH/9bmskK2R9JZb 9f0wFFU8ppXTT1cjsnkaIQ5lqicQfHBNrpCF/axumVxrA6ENkmuoLtRMPGRCkEVNzgrU RF7A== MIME-Version: 1.0 X-Received: by 10.220.249.6 with SMTP id mi6mr301224vcb.33.1394115033395; Thu, 06 Mar 2014 06:10:33 -0800 (PST) Received: by 10.58.203.170 with HTTP; Thu, 6 Mar 2014 06:10:33 -0800 (PST) In-Reply-To: <0E7A07FB-FE42-41BE-9FE2-36558C421411@dataix.net> References: <201403052307.s25N7NoD045308@cgiserv.freebsd.org> <5317B597.5050900@delphij.net> <0E7A07FB-FE42-41BE-9FE2-36558C421411@dataix.net> Date: Thu, 6 Mar 2014 09:10:33 -0500 Message-ID: Subject: Re: misc/187307: Security vulnerability with FreeBSD Jail From: Shawn Webb To: Jason Hellenthal Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "d@delphij.net" , "secteam@FreeBSD.org" , "freebsd-security@freebsd.org" , "jamie@FreeBSD.org" , "freebsd-gnats-submit@FreeBSD.org" , Nicola Galante X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 14:10:34 -0000 On Thu, Mar 6, 2014 at 1:55 AM, Jason Hellenthal wrote: > I would also add . . . separate ssh keys and passwords if the user needs > access to both host and jailed systems. This is just common practice and > not a security flaw by any means but an engineering oversight. > > Popsicle sticks also have a security flaw, they let you jab yourself in > the throat if you fall while sucking on them. Solution . . . sit down. One can also use vnet (VIMAGE kernel option) in conjunction with jails to give each jail its own full TCP/IP stack, rather than sharing the TCP/IP stack with the host.