Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 13 Jan 2007 12:29:37 +0100
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Colin Percival <cperciva@freebsd.org>
Cc:        freebsd-security@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Message-ID:  <20070113112937.GI90718@garage.freebsd.pl>
In-Reply-To: <45A6DB76.40800@freebsd.org>
References:  <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--CD/aTaZybdUisKIc
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote:
> Hello Everyone,
>=20
> I usually let security advisories speak for themselves, but I want to call
> special attention to this one: If you use jails, READ THE ADVISORY, in
> particular the "NOTE WELL" part below; and if you have problems after app=
lying
> the security patch, LET US KNOW -- we do everything we can to make sure
> that security updates will never cause problems, but in this case we could
> not fix the all of the security issues without either making assumptions
> about how systems are configured or reducing functionality.
>=20
> In the end we opted to reduce functionality (the jail startup process is
> no longer logged to /var/log/console.log inside the jail), make an assump=
tion
> about how systems are configured (filesystems which are mounted via per-j=
ail
> fstab files should not be mounted on symlinks -- if you do this, adjust y=
our
> fstab files to give the real, non-symlinked, path to the mount point), and
> leave a potential security problem unfixed (if you mount any filesystems =
via
> per-jail fstab files on mount points which are visible within multiple ja=
ils,
> there are problems -- don't do this).

I don't like the way it was fixed. I do know it wasn't easy to fix.
I don't like it because it breaks almost all my current jails, because I
often use /jails/ paths in fstabs, which is actually a symlink to
/usr/jails/.

What I'd like to suggest, which seems much better way to fix the problem
is:

1. Apply the patch:

	http://people.freebsd.org/~pjd/patches/realpath.patch

2. Find full path to jail's root with `realpath $_rootdir`.

3. Take first entry from /etc/fstab.<name>, for example we have a
   mount-point /usr/jails/foo/usr/lib in there. Run `realpath /usr'
   and compare with $_rootfulldir, if doesn't match, run `realpath
   /usr/jails` and compare, if doesn't match take next path component
   until we find a match.
   When a match is found, what's left out is a mount-point inside a jail,
   eg. '/usr/lib'. Now, run real=3D`realpath -c $_rootdir /usr/lib`, which
   will give us full path inside a jail.
   Then, we need to mount file system on $_rootdir/$real.

4. Repeat 3 for each fstab entry.

With this approch one can use symlinks in any mount-point component.

The whole complexity in point 3, is because people can have jail's root
configured as '/usr/jails/foo', but use '/jails/foo' prefix for
mount-points.

I'll keep /var/log/console.log outside a jail, because using
'realpath -c' will be dangerous once the jail is running. There could be
a race where `realpath -c` returns one path, an attacker inside a jail
changes one of resolved path's component and rc.d/jail from outside a
jail tries to use it.

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--CD/aTaZybdUisKIc
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFFqMKhForvXbEpPzQRAm0oAJ4gM53DNKRAZLzFzUrYuvO8AU10HQCfTB6R
dX0OldbS+GniAd5BKcdaztU=
=FV2A
-----END PGP SIGNATURE-----

--CD/aTaZybdUisKIc--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070113112937.GI90718>