Date: Sat, 13 Jan 2007 12:29:37 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Colin Percival <cperciva@freebsd.org> Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail Message-ID: <20070113112937.GI90718@garage.freebsd.pl> In-Reply-To: <45A6DB76.40800@freebsd.org> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--CD/aTaZybdUisKIc Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote: > Hello Everyone, >=20 > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after app= lying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. >=20 > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail), make an assump= tion > about how systems are configured (filesystems which are mounted via per-j= ail > fstab files should not be mounted on symlinks -- if you do this, adjust y= our > fstab files to give the real, non-symlinked, path to the mount point), and > leave a potential security problem unfixed (if you mount any filesystems = via > per-jail fstab files on mount points which are visible within multiple ja= ils, > there are problems -- don't do this). I don't like the way it was fixed. I do know it wasn't easy to fix. I don't like it because it breaks almost all my current jails, because I often use /jails/ paths in fstabs, which is actually a symlink to /usr/jails/. What I'd like to suggest, which seems much better way to fix the problem is: 1. Apply the patch: http://people.freebsd.org/~pjd/patches/realpath.patch 2. Find full path to jail's root with `realpath $_rootdir`. 3. Take first entry from /etc/fstab.<name>, for example we have a mount-point /usr/jails/foo/usr/lib in there. Run `realpath /usr' and compare with $_rootfulldir, if doesn't match, run `realpath /usr/jails` and compare, if doesn't match take next path component until we find a match. When a match is found, what's left out is a mount-point inside a jail, eg. '/usr/lib'. Now, run real=3D`realpath -c $_rootdir /usr/lib`, which will give us full path inside a jail. Then, we need to mount file system on $_rootdir/$real. 4. Repeat 3 for each fstab entry. With this approch one can use symlinks in any mount-point component. The whole complexity in point 3, is because people can have jail's root configured as '/usr/jails/foo', but use '/jails/foo' prefix for mount-points. I'll keep /var/log/console.log outside a jail, because using 'realpath -c' will be dangerous once the jail is running. There could be a race where `realpath -c` returns one path, an attacker inside a jail changes one of resolved path's component and rc.d/jail from outside a jail tries to use it. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --CD/aTaZybdUisKIc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFqMKhForvXbEpPzQRAm0oAJ4gM53DNKRAZLzFzUrYuvO8AU10HQCfTB6R dX0OldbS+GniAd5BKcdaztU= =FV2A -----END PGP SIGNATURE----- --CD/aTaZybdUisKIc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070113112937.GI90718>