Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Jan 2007 22:08:26 +0100
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Dirk Engling <erdgeist@erdgeist.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Message-ID:  <20070115210826.GA2839@garage.freebsd.pl>
In-Reply-To: <45ABDC7C.6060407@erdgeist.org>
References:  <200701111841.l0BIfWOn015231@freefall.freebsd.org> <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 15, 2007 at 08:56:44PM +0100, Dirk Engling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> Pawel Jakub Dawidek wrote:
>=20
> > I'll keep /var/log/console.log outside a jail, because using
> > 'realpath -c' will be dangerous once the jail is running. There could be
> > a race where `realpath -c` returns one path, an attacker inside a jail
> > changes one of resolved path's component and rc.d/jail from outside a
> > jail tries to use it.
>=20
> A simple way to prevent race conditions (here an example to mount devfs
> into jails) is:
>=20
> cd ${jail_root}
> j_root=3D`pwd`
> cd ${jail_dev_dir}
> j_dev=3D`pwd`
> eval evil_doer=3D\$\{j_dev#${j_root}\}
> [ "$evil_doer" =3D "$j_dev" ] && exit
> mount_devfs devfs .

	# ls -l /jails
	lrwxr-x---  1 root  wheel  9 15 sty 21:58 /jails -> usr/jails
	# jail_root=3D"/usr/jails"
	# jail_dev_dir=3D"/jails/dev"
	# cd ${jail_root}
	# j_root=3D`pwd`
	# echo $j_root
	/usr/jails
	# cd ${jail_dev_dir}
	# j_dev=3D`pwd`
	# echo $j_dev
	/jails/dev
	# eval evil_doer=3D\$\{j_dev#${j_root}\}
	# echo $evil_doer
	/jails/dev
	# [ "$evil_doer" =3D "$j_dev" ] && echo "false positive"
	false positive

In other words, it may break existing configurations.

> To do the same with console.log (I _really_ like this feature and would
> want it re-enabled asap) you can use something like:
>=20
> cd ${jail_root}
> j_root=3D`pwd`
> cd ${jail_var_log_dir}
> j_var_log=3D`pwd`
> eval evil_doer=3D\$\{j_var_log#${j_root}\}
> [ "$evil_doer" =3D "$j_var_log" ] && exit

--> Race <--

> cp -f ${temp_log} console.log

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--ZPt4rx8FFjLCG7dd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFFq+1KForvXbEpPzQRAvBQAKDKPf9UMqlZduQJV77Ht1UjJmltIACeJcap
z/+nWkDBY6Yp2yNSYhtNQTU=
=RTyD
-----END PGP SIGNATURE-----

--ZPt4rx8FFjLCG7dd--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070115210826.GA2839>