From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 02:55:09 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D2FF5DEE for ; Sun, 13 Jul 2014 02:55:09 +0000 (UTC) Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6CC102B08 for ; Sun, 13 Jul 2014 02:55:09 +0000 (UTC) Received: by mail-we0-f174.google.com with SMTP id x48so909181wes.19 for ; Sat, 12 Jul 2014 19:55:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=9znH52AXghPgU3lvVqYxNM6XdeQNqJo70kKX4o7Mg5Q=; b=GS0AOt2WHqNHowrsWgAJHL4F5Yx/yLtQfgd6HKKCADexLIlsAIvUkspxPbxJsCUZsS Ejvj0iUctOTz6jwQpEItqSofDjvJSeaBJTPYb/bqbK3EiSpdWyA8n7978SsWWWo+Qbo5 3LsOi5HrcWXsIPBp4imq+6GqYBHdtq8LJI6GUZKbn6Ik6Up3CyUeLOxa242idAu3teE2 m7X5F7tOfIY+exV3bS9PjC0WnkKKr8yJ/606jxb/1zMMMF70Rt+3WQaFJy2JwT0jrvhP kI/OzynixAuUuZVb5k8LMPgZgVf7YKhoALI4LuzoCqCtXVXVvAet/Mkwvj5oBPvwwBAB kk4w== X-Received: by 10.180.19.40 with SMTP id b8mr15387010wie.77.1405220107675; Sat, 12 Jul 2014 19:55:07 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id wu6sm15543645wjb.46.2014.07.12.19.55.06 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sat, 12 Jul 2014 19:55:06 -0700 (PDT) Date: Sun, 13 Jul 2014 04:55:04 +0200 From: Mateusz Guzik To: Warren Block Subject: Re: mergemaster and better support for ezjails Message-ID: <20140713025504.GB16884@dft-labs.eu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 02:55:09 -0000 On Sat, Jul 12, 2014 at 08:08:52PM -0600, Warren Block wrote: > A couple of patches to make mergemaster work better with ezjails. > > These are only very superficially tested. Feedback welcome. > > 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This > allows IGNORE_FILES to be set in the jail. And other settings, but > that's the one I wanted. > How exactly does it work? Is jailed root allowed to create /etc/mergemaster.rc? If so, that would be a jail escape vector - an attacker puts commands they want to execute inside and mergemaster sourcing the file will trigger executing them. In fact running mergemaster from "outside" on an untrusted jail seems like a security weakness even without jailed-root controlled rc file since they can try to do something fishy with symlinks which now resolve to stuff on the host. The following should be safe enough: - have a dedicated RO jail - mount to-be-updated jail under /mnt/jail or whatever - mount sources/whatever RO under /usr/src or whatever - run update process from inside dedicated RO jail -- Mateusz Guzik