Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Jan 2007 04:27:34 +0100
From:      Philipp Wuensche <cryx-freebsd@h3q.com>
To:        Colin Percival <cperciva@freebsd.org>
Cc:        freebsd-security@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Message-ID:  <45A70026.2010601@h3q.com>
In-Reply-To: <45A6DB76.40800@freebsd.org>
References:  <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Colin Percival wrote:
> Hello Everyone,
> 
> I usually let security advisories speak for themselves, but I want to call
> special attention to this one: If you use jails, READ THE ADVISORY, in
> particular the "NOTE WELL" part below; and if you have problems after applying
> the security patch, LET US KNOW -- we do everything we can to make sure
> that security updates will never cause problems, but in this case we could
> not fix the all of the security issues without either making assumptions
> about how systems are configured or reducing functionality.
> 
> In the end we opted to reduce functionality (the jail startup process is
> no longer logged to /var/log/console.log inside the jail)

Thats a bummer, when Dirk showed me this problem the first time my ideas
for fixing this problem without losing the functionality where changing
flags on the file so it can't be removed or/and checking if it is really
a file or a symlink instead. Of course you have to check if /var/log has
symlinked parent directories before.

First is quite problematic and setting flags on file is something
scripts which create a jail in the first place probably have to bother
with so option two would be my approach. Did I miss a possible problem
with that idea?

> (filesystems which are mounted via per-jail
> fstab files should not be mounted on symlinks -- if you do this, adjust your
> fstab files to give the real, non-symlinked, path to the mount point), and

If I understand the patch correct it checks recursive all parent
directories of a mountpoint in is_symlinked_mountpoint(), wouldn't it be
better to just check for a symlinked parent directory up to and not
including ${_rootdir}? I think that wouldn't weaken security and  people
would be allowed to use symlinks for their jail root-directories and
above. I already know some setups which will break with the current patch.

> leave a potential security problem unfixed (if you mount any filesystems via
> per-jail fstab files on mount points which are visible within multiple jails,
> there are problems -- don't do this).

I'm not sure I understand that quite correct, where is this problem
appearing?

Other things:

tail is used in line 230: tail -r ${_fstab} | while read _device
_mountpt _rest; do

If the per-jail fstab is larger than 10 lines, which is the default of
tail to show, the remaining mountpoints will not be unmounted?


Anyway thanks to the freebsd team.

greetings,
philipp





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45A70026.2010601>