Date: Wed, 17 Jan 2007 15:57:42 +0600 From: Dmitry Frolov <frolov@riss-telecom.ru> To: Colin Percival <cperciva@freebsd.org> Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail Message-ID: <20070117095742.GW43331@nerve.riss-telecom.ru> In-Reply-To: <45A6DB76.40800@freebsd.org> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* Colin Percival <cperciva@freebsd.org> [12.01.2007 06:53]: > Hello Everyone, > > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after applying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. > > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail), make an assumption > about how systems are configured (filesystems which are mounted via per-jail > fstab files should not be mounted on symlinks -- if you do this, adjust your > fstab files to give the real, non-symlinked, path to the mount point), and > leave a potential security problem unfixed (if you mount any filesystems via > per-jail fstab files on mount points which are visible within multiple jails, > there are problems -- don't do this). > > While this is not ideal, this security issue was extraordinarily messy due to > the power and flexibility of the jails and the jail rc.d script. I can't > recall any other time when the security team has spent this long trying to > find a working patch for a security issue. I'd like to publicly thank Simon > Nielsen for the many many hours he spent working on this issue, as well as > the release engineering team for being very patient with us and delaying the > upcoming release to give us time to fix this. The other approach to write log file safely is to do it from the process running inside a jail. As an example, there is a ports/sysutils/jailer that does that (with small modification). Here are small patches that fix it to work on FBSD > 4 and allows it to write to log file instead of console: http://kaya.nov.net/frol/patches/jailer-1.1.2-fbsd5-console.diff http://kaya.nov.net/frol/patches/jailer-1.1.2-injail-sysctl.diff wbr&w, dmitry. -- Dmitry Frolov <frolov@riss-telecom.ru> RISS-Telecom Network, Novosibirsk, Russia 66415911@ICQ, +7 383 2278800, DVF-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070117095742.GW43331>