From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 09:44:07 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1AFFD16A407; Tue, 16 Jan 2007 09:44:07 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id BD7EB13C442; Tue, 16 Jan 2007 09:44:06 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5EFD9.dip.t-dialin.net [84.165.239.217]) by redbull.bpaserver.net (Postfix) with ESMTP id 524482E1D5; Tue, 16 Jan 2007 10:51:26 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 5A0675B497E; Tue, 16 Jan 2007 10:43:58 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l0G9hvMq046509; Tue, 16 Jan 2007 10:43:57 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Tue, 16 Jan 2007 10:43:57 +0100 Message-ID: <20070116104357.jkztqfpta88wk48c@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 16 Jan 2007 10:43:57 +0100 From: Alexander Leidinger To: Pawel Jakub Dawidek References: <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> <45AC2E9F.20901@freebsd.org> <45AC35A6.7090103@erdgeist.org> <20070116133259.N5056@delplex.bde.org> <20070116084243.GA1117@garage.freebsd.pl> In-Reply-To: <20070116084243.GA1117@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.264, required 6, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, J_CHICKENPOX_33 0.60) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Tue, 16 Jan 2007 12:23:45 +0000 Cc: Dirk, freebsd-security@FreeBSD.org, Engling , Colin Percival Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 09:44:07 -0000 Quoting Pawel Jakub Dawidek (from Tue, 16 Jan 2007 =20 09:42:43 +0100): > =09good-guy=09=09=09=09attacker-within-a-jail > > =09cd /jail/var/log > =09mktemp foo.XXX > =09=09=09=09=09=09rm -f foo.XXX > =09=09=09=09=09=09ln -s /etc/spwd.db foo.XXX > =09copy /path/to/jail_console.log foo.XXX > =09mv -f foo.XXX console.log I did not have time to look at how the console part is handled. But =20 out of the blue I would assume the console.log is created before the =20 jail is started. Like: - check if console.log is a file which we are allowed to overwrite (no symlink pointing outside the jail) - bail out if it points outside the jail or prefix the jail base directory to the resulting path if it is a link - (echo "Starting $(date)"; start_jail) >>${console.log} The echo is there to make sure it exists and the subshell to make sure the file is not closed. This assumes the output is not more than line buffered (it isn't here on Solaris 10 with zsh). Why can't we do it like this? Bye, Alexander. --=20 " " =09=09-- Charlie Chaplin " " =09=09-- Harpo Marx " " =09=09-- Marcel Marceau http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137