mergemaster and better support for ezjails
Mateusz Guzik
mjguzik at gmail.com
Sun Jul 13 02:55:09 UTC 2014
On Sat, Jul 12, 2014 at 08:08:52PM -0600, Warren Block wrote:
> A couple of patches to make mergemaster work better with ezjails.
>
> These are only very superficially tested. Feedback welcome.
>
> 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This
> allows IGNORE_FILES to be set in the jail. And other settings, but
> that's the one I wanted.
>
How exactly does it work?
Is jailed root allowed to create /etc/mergemaster.rc?
If so, that would be a jail escape vector - an attacker puts commands they
want to execute inside and mergemaster sourcing the file will trigger
executing them.
In fact running mergemaster from "outside" on an untrusted jail seems
like a security weakness even without jailed-root controlled rc file
since they can try to do something fishy with symlinks which now resolve
to stuff on the host.
The following should be safe enough:
- have a dedicated RO jail
- mount to-be-updated jail under /mnt/jail or whatever
- mount sources/whatever RO under /usr/src or whatever
- run update process from inside dedicated RO jail
--
Mateusz Guzik <mjguzik gmail.com>
More information about the freebsd-jail
mailing list