From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 03:24:38 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1CEAD1CA for ; Sun, 13 Jul 2014 03:24:38 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C33332DC6 for ; Sun, 13 Jul 2014 03:24:37 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6D3OZQR029164 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 12 Jul 2014 21:24:35 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6D3OZw9029161; Sat, 12 Jul 2014 21:24:35 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sat, 12 Jul 2014 21:24:35 -0600 (MDT) From: Warren Block To: Mateusz Guzik Subject: Re: mergemaster and better support for ezjails In-Reply-To: <20140713025504.GB16884@dft-labs.eu> Message-ID: References: <20140713025504.GB16884@dft-labs.eu> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sat, 12 Jul 2014 21:24:35 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 03:24:38 -0000 On Sun, 13 Jul 2014, Mateusz Guzik wrote: > On Sat, Jul 12, 2014 at 08:08:52PM -0600, Warren Block wrote: >> A couple of patches to make mergemaster work better with ezjails. >> >> These are only very superficially tested. Feedback welcome. >> >> 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This >> allows IGNORE_FILES to be set in the jail. And other settings, but >> that's the one I wanted. >> > > How exactly does it work? > > Is jailed root allowed to create /etc/mergemaster.rc? Yes. Or at least I don't know of anything preventing that. > If so, that would be a jail escape vector - an attacker puts commands they > want to execute inside and mergemaster sourcing the file will trigger > executing them. Ouch. Seems obvious now that you mention it. Probably mergemaster.rc should have a defined format rather than being sourced anyway. Another way to implement ignored files would be to extend the definitions in (the host's) /etc/mergemaster.rc to include ignored files by jail name or full path. Full paths do not work presently because IGNORE_FILES just deletes the temporary file so it is not compared. > In fact running mergemaster from "outside" on an untrusted jail seems > like a security weakness even without jailed-root controlled rc file > since they can try to do something fishy with symlinks which now resolve > to stuff on the host. > > The following should be safe enough: > - have a dedicated RO jail > - mount to-be-updated jail under /mnt/jail or whatever > - mount sources/whatever RO under /usr/src or whatever > - run update process from inside dedicated RO jail Thank you!