From owner-freebsd-stable@FreeBSD.ORG Sat Jan 13 11:48:47 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5714716A415; Sat, 13 Jan 2007 11:48:47 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id B0E2213C44C; Sat, 13 Jan 2007 11:48:46 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id CF86048804; Sat, 13 Jan 2007 12:30:20 +0100 (CET) Received: from localhost (154.81.datacomsa.pl [195.34.81.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 6C55846DA5; Sat, 13 Jan 2007 12:30:13 +0100 (CET) Date: Sat, 13 Jan 2007 12:29:37 +0100 From: Pawel Jakub Dawidek To: Colin Percival Message-ID: <20070113112937.GI90718@garage.freebsd.pl> References: <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CD/aTaZybdUisKIc" Content-Disposition: inline In-Reply-To: <45A6DB76.40800@freebsd.org> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2007 11:48:47 -0000 --CD/aTaZybdUisKIc Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote: > Hello Everyone, >=20 > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after app= lying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. >=20 > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail), make an assump= tion > about how systems are configured (filesystems which are mounted via per-j= ail > fstab files should not be mounted on symlinks -- if you do this, adjust y= our > fstab files to give the real, non-symlinked, path to the mount point), and > leave a potential security problem unfixed (if you mount any filesystems = via > per-jail fstab files on mount points which are visible within multiple ja= ils, > there are problems -- don't do this). I don't like the way it was fixed. I do know it wasn't easy to fix. I don't like it because it breaks almost all my current jails, because I often use /jails/ paths in fstabs, which is actually a symlink to /usr/jails/. What I'd like to suggest, which seems much better way to fix the problem is: 1. Apply the patch: http://people.freebsd.org/~pjd/patches/realpath.patch 2. Find full path to jail's root with `realpath $_rootdir`. 3. Take first entry from /etc/fstab., for example we have a mount-point /usr/jails/foo/usr/lib in there. Run `realpath /usr' and compare with $_rootfulldir, if doesn't match, run `realpath /usr/jails` and compare, if doesn't match take next path component until we find a match. When a match is found, what's left out is a mount-point inside a jail, eg. '/usr/lib'. Now, run real=3D`realpath -c $_rootdir /usr/lib`, which will give us full path inside a jail. Then, we need to mount file system on $_rootdir/$real. 4. Repeat 3 for each fstab entry. With this approch one can use symlinks in any mount-point component. The whole complexity in point 3, is because people can have jail's root configured as '/usr/jails/foo', but use '/jails/foo' prefix for mount-points. I'll keep /var/log/console.log outside a jail, because using 'realpath -c' will be dangerous once the jail is running. There could be a race where `realpath -c` returns one path, an attacker inside a jail changes one of resolved path's component and rc.d/jail from outside a jail tries to use it. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --CD/aTaZybdUisKIc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFqMKhForvXbEpPzQRAm0oAJ4gM53DNKRAZLzFzUrYuvO8AU10HQCfTB6R dX0OldbS+GniAd5BKcdaztU= =FV2A -----END PGP SIGNATURE----- --CD/aTaZybdUisKIc--