From owner-freebsd-stable@FreeBSD.ORG Wed Jan 17 10:11:11 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0189816A40F; Wed, 17 Jan 2007 10:11:11 +0000 (UTC) (envelope-from frol@nerve.riss-telecom.ru) Received: from nerve.riss-telecom.ru (nerve.riss-telecom.ru [80.66.65.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4428F13C457; Wed, 17 Jan 2007 10:11:10 +0000 (UTC) (envelope-from frol@nerve.riss-telecom.ru) Received: from nerve.riss-telecom.ru (localhost [127.0.0.1]) by nerve.riss-telecom.ru (8.13.6/8.13.6) with ESMTP id l0H9vgkl008853; Wed, 17 Jan 2007 15:57:42 +0600 (NOVT) (envelope-from frol@nerve.riss-telecom.ru) Received: (from frol@localhost) by nerve.riss-telecom.ru (8.13.6/8.13.6/Submit) id l0H9vgtY008852; Wed, 17 Jan 2007 15:57:42 +0600 (NOVT) (envelope-from frol) Date: Wed, 17 Jan 2007 15:57:42 +0600 From: Dmitry Frolov To: Colin Percival Message-ID: <20070117095742.GW43331@nerve.riss-telecom.ru> Mail-Followup-To: Colin Percival , freebsd-security@freebsd.org, freebsd-stable@freebsd.org References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45A6DB76.40800@freebsd.org> Organization: RISS-Telecom, JSC X-PGP-Fingerprint: 5232 98E7 596E 21C2 52B5 FCAE 8088 3F87 88BC 27B0 User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jan 2007 10:11:11 -0000 * Colin Percival [12.01.2007 06:53]: > Hello Everyone, > > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after applying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. > > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail), make an assumption > about how systems are configured (filesystems which are mounted via per-jail > fstab files should not be mounted on symlinks -- if you do this, adjust your > fstab files to give the real, non-symlinked, path to the mount point), and > leave a potential security problem unfixed (if you mount any filesystems via > per-jail fstab files on mount points which are visible within multiple jails, > there are problems -- don't do this). > > While this is not ideal, this security issue was extraordinarily messy due to > the power and flexibility of the jails and the jail rc.d script. I can't > recall any other time when the security team has spent this long trying to > find a working patch for a security issue. I'd like to publicly thank Simon > Nielsen for the many many hours he spent working on this issue, as well as > the release engineering team for being very patient with us and delaying the > upcoming release to give us time to fix this. The other approach to write log file safely is to do it from the process running inside a jail. As an example, there is a ports/sysutils/jailer that does that (with small modification). Here are small patches that fix it to work on FBSD > 4 and allows it to write to log file instead of console: http://kaya.nov.net/frol/patches/jailer-1.1.2-fbsd5-console.diff http://kaya.nov.net/frol/patches/jailer-1.1.2-injail-sysctl.diff wbr&w, dmitry. -- Dmitry Frolov RISS-Telecom Network, Novosibirsk, Russia 66415911@ICQ, +7 383 2278800, DVF-RIPE