From owner-freebsd-security@FreeBSD.ORG Thu Jul 18 13:09:11 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7AB70CD9; Thu, 18 Jul 2013 13:09:11 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) by mx1.freebsd.org (Postfix) with ESMTP id EBC33CF3; Thu, 18 Jul 2013 13:09:10 +0000 (UTC) Received: from park.js.berklix.net (p5DCBEACA.dip0.t-ipconnect.de [93.203.234.202]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id r6ID98KV022403; Thu, 18 Jul 2013 13:09:08 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.14.3/8.14.3) with ESMTP id r6ID8xhO004288; Thu, 18 Jul 2013 15:08:59 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id r6ID8eGI023276; Thu, 18 Jul 2013 15:08:46 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201307181308.r6ID8eGI023276@fire.js.berklix.net> To: freebsd-jail@freebsd.org, freebsd-security@freebsd.org Subject: /dev/pts/0 in a jail shows no one is observing from outer prison. From: "Julian H. Stacey" Organization: http://berklix.com BSD Linux Unix Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Thu, 18 Jul 2013 15:08:40 +0200 Sender: jhs@berklix.com Cc: np@bsn.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jul 2013 13:09:11 -0000 Hi freebsd-jail@freebsd.org, freebsd-security@freebsd.org cc: np@bsn.com I noticed something within a jail that seems a little slack: A ssh to a jail followed by Who, if it shows just pts/0, shows no one else is logged in { within jail And Also Outer Prison [And presumably also other parallel jails] }. (OK Yes, an admin might be logged in to prison on on a direct wire or ttyv but most unlikely in the common case of a remote server farm) So the person logging in to the jail is effectively told "Owner of the prison is also absent, now is a good time to try exploits." Ideally within a jail, logins would get no indication if the prison & other jails were were logged in or not. (OK, Yes, one might argue on a traditional non prison & jails server, one can also see who is, or not, logged in on one large common system, but presumably one benefit of putting users in jails should be the jailed should no longer see presence of outside users ?) Is it viable to tighten the default ? man jail has: devfs_ruleset zero (default) I was using a jail created by ezjail. The outer prison (names obfuscated) mount | grep dev devfs on /dev (devfs, local, multilabel) devfs on /tank4/ezjail/jail1.org/dev (devfs, local, multilabel) fdescfs on /tank4/ezjail/jail1.org/dev/fd (fdescfs) devfs on /tank4/ezjail/jail2.org/dev (devfs, local, multilabel) fdescfs on /tank4/ezjail/jail2.org/dev/fd (fdescfs) Why I noticed: My DSL link timed out, ( no sshd with TCPKeepAlive=Yes, & failed ping -i 120 -q my-isp.de ) Within jail, after who & ps -t to kill junk, new logins persisted at pts/1, not pts/0. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.