mergemaster and better support for ezjails
Warren Block
wblock at wonkity.com
Sun Jul 13 03:24:38 UTC 2014
On Sun, 13 Jul 2014, Mateusz Guzik wrote:
> On Sat, Jul 12, 2014 at 08:08:52PM -0600, Warren Block wrote:
>> A couple of patches to make mergemaster work better with ezjails.
>>
>> These are only very superficially tested. Feedback welcome.
>>
>> 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This
>> allows IGNORE_FILES to be set in the jail. And other settings, but
>> that's the one I wanted.
>>
>
> How exactly does it work?
>
> Is jailed root allowed to create /etc/mergemaster.rc?
Yes. Or at least I don't know of anything preventing that.
> If so, that would be a jail escape vector - an attacker puts commands they
> want to execute inside and mergemaster sourcing the file will trigger
> executing them.
Ouch. Seems obvious now that you mention it. Probably mergemaster.rc
should have a defined format rather than being sourced anyway.
Another way to implement ignored files would be to extend the
definitions in (the host's) /etc/mergemaster.rc to include ignored files
by jail name or full path.
Full paths do not work presently because IGNORE_FILES just deletes the
temporary file so it is not compared.
> In fact running mergemaster from "outside" on an untrusted jail seems
> like a security weakness even without jailed-root controlled rc file
> since they can try to do something fishy with symlinks which now resolve
> to stuff on the host.
>
> The following should be safe enough:
> - have a dedicated RO jail
> - mount to-be-updated jail under /mnt/jail or whatever
> - mount sources/whatever RO under /usr/src or whatever
> - run update process from inside dedicated RO jail
Thank you!
More information about the freebsd-jail
mailing list