Date: Sat, 12 Jul 2014 21:24:35 -0600 (MDT) From: Warren Block <wblock@wonkity.com> To: Mateusz Guzik <mjguzik@gmail.com> Cc: freebsd-jail@FreeBSD.org Subject: Re: mergemaster and better support for ezjails Message-ID: <alpine.BSF.2.11.1407122056420.50320@wonkity.com> In-Reply-To: <20140713025504.GB16884@dft-labs.eu> References: <alpine.BSF.2.11.1407121753240.50320@wonkity.com> <20140713025504.GB16884@dft-labs.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 13 Jul 2014, Mateusz Guzik wrote: > On Sat, Jul 12, 2014 at 08:08:52PM -0600, Warren Block wrote: >> A couple of patches to make mergemaster work better with ezjails. >> >> These are only very superficially tested. Feedback welcome. >> >> 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This >> allows IGNORE_FILES to be set in the jail. And other settings, but >> that's the one I wanted. >> > > How exactly does it work? > > Is jailed root allowed to create /etc/mergemaster.rc? Yes. Or at least I don't know of anything preventing that. > If so, that would be a jail escape vector - an attacker puts commands they > want to execute inside and mergemaster sourcing the file will trigger > executing them. Ouch. Seems obvious now that you mention it. Probably mergemaster.rc should have a defined format rather than being sourced anyway. Another way to implement ignored files would be to extend the definitions in (the host's) /etc/mergemaster.rc to include ignored files by jail name or full path. Full paths do not work presently because IGNORE_FILES just deletes the temporary file so it is not compared. > In fact running mergemaster from "outside" on an untrusted jail seems > like a security weakness even without jailed-root controlled rc file > since they can try to do something fishy with symlinks which now resolve > to stuff on the host. > > The following should be safe enough: > - have a dedicated RO jail > - mount to-be-updated jail under /mnt/jail or whatever > - mount sources/whatever RO under /usr/src or whatever > - run update process from inside dedicated RO jail Thank you!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.11.1407122056420.50320>