From owner-freebsd-bugs@FreeBSD.ORG Wed Feb 25 09:10:05 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 752151065679 for ; Wed, 25 Feb 2009 09:10:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5028F8FC22 for ; Wed, 25 Feb 2009 09:10:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1P9A5i5027294 for ; Wed, 25 Feb 2009 09:10:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1P9A5ro027293; Wed, 25 Feb 2009 09:10:05 GMT (envelope-from gnats) Resent-Date: Wed, 25 Feb 2009 09:10:05 GMT Resent-Message-Id: <200902250910.n1P9A5ro027293@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Aleksandr Stankevic Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C1D1106566C for ; Wed, 25 Feb 2009 09:05:28 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 58FFE8FC18 for ; Wed, 25 Feb 2009 09:05:28 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n1P95RDJ043611 for ; Wed, 25 Feb 2009 09:05:27 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n1P95RHt043610; Wed, 25 Feb 2009 09:05:27 GMT (envelope-from nobody) Message-Id: <200902250905.n1P95RHt043610@www.freebsd.org> Date: Wed, 25 Feb 2009 09:05:27 GMT From: Aleksandr Stankevic To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/132092: jail can listen on *:port when jail_socket_unixiproute_only set to NO X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 09:10:05 -0000 >Number: 132092 >Category: misc >Synopsis: jail can listen on *:port when jail_socket_unixiproute_only set to NO >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 25 09:10:04 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Aleksandr Stankevic >Release: >Organization: >Environment: FreeBSD alex.viko.lt 7.1-RELEASE-p3 FreeBSD 7.1-RELEASE-p3 #0: Tue Feb 24 22:53:54 EET 2009 alex@alex.viko.lt:/usr/src/sys/i386/compile/GENERIC i386 >Description: I've noticed that apache in jail is listening on *:80. After debugging for some time, i found out it's because of jail_socket_unixiproute_only set to NO. The problem is, that it is really listening on *:80, and not on the ip the jail was given. I.e. Host system ip: 111.111.128.50 Jail system ip: 111.111.128.51 Host system only has sshd runing, no other network services. Jail system has apache installed. Apache is listening on *:80 By telneting to 111.111.128.50:80 (the host ip) i will connect to the jail system. It's kind of jail escape IMHO. Other jails, which don't have anything listening on port 80, can be connected to via port 80. But the destination server will be the jail which listens on *:80. >How-To-Repeat: Set jail_socket_unixiproute_only=NO in rc.conf, start a jail, and create a socket listening on *:port Can't reproduce with software like netcat, but software like apache/jabberd can listen on *:port. >Fix: I don't know if that's a wanted behavior. I can see two solutions: 1. if it should work that way, then add a note/warning to the docs so users know that by setting jail_socket_unixiproute_only to NO will lower the security of the jail by letting it bind to wildcard IP. 2. if it shouldn't work that way - then fix it so it can't listen on wildcard ip, and that way fix the jail/privilege escape >Release-Note: >Audit-Trail: >Unformatted: