From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 12:41:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B20F037B405 for ; Mon, 14 Jul 2003 12:41:18 -0700 (PDT) Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 590D343FAF for ; Mon, 14 Jul 2003 12:41:17 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from beaker.psp.pas.earthlink.net ([207.217.78.247]) by scaup.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19c9CG-0001dx-00 for freebsd-security@freebsd.org; Mon, 14 Jul 2003 12:41:16 -0700 Received: from [207.217.78.201] by EarthlinkWAM via HTTP; Mon Jul 14 12:41:16 PDT 2003 Message-ID: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> Date: Mon, 14 Jul 2003 12:39:50 -0400 (EDT) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Web Access Mail version 3.0 Subject: Re: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 19:41:19 -0000 >No, no, no! >You first need to realize how kernel will choose listen socket. >If you bind to port 22 on main host with INADDR_ANY, you get this >INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY >it will be translated to jail's ip. Now if there is open port outside >jail and inside some jail it is opened as well, guess which socket will >be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel >translate them to jail's ip). So from security point of view if someone >will break into your jail, he is able to spoof your sshd (let's forget >for a moment about server keys), your mail server or anything >and get your password for example. >You can check my patch for multiple ips in jails which also fix >sockets ordering behaviour. > For FreeBSD 4.x: > http://garage.freebsd.pl/mijail.tbz > http://garage.freebsd.pl/mijail.README > For FreeBSD 5.1-CURRENT: > http://garage.freebsd.pl/mijail5.tbz > http://garage.freebsd.pl/mijail5.README > http://garage.freebsd.pl/patches/mijail5.patch I have a feeling you're trying to tell me something important but I'm not understanding. Is this a problem only with ssh or with any server listening on a port? Does this problem occur when you share an ip address between two jailed servers or does it happen any time you use a jail? Would having ssh on a different port on each jail avoid the problem?