HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Pawel Jakub Dawidek
pjd at FreeBSD.org
Mon Jan 15 21:09:07 UTC 2007
On Mon, Jan 15, 2007 at 08:56:44PM +0100, Dirk Engling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pawel Jakub Dawidek wrote:
>
> > I'll keep /var/log/console.log outside a jail, because using
> > 'realpath -c' will be dangerous once the jail is running. There could be
> > a race where `realpath -c` returns one path, an attacker inside a jail
> > changes one of resolved path's component and rc.d/jail from outside a
> > jail tries to use it.
>
> A simple way to prevent race conditions (here an example to mount devfs
> into jails) is:
>
> cd ${jail_root}
> j_root=`pwd`
> cd ${jail_dev_dir}
> j_dev=`pwd`
> eval evil_doer=\$\{j_dev#${j_root}\}
> [ "$evil_doer" = "$j_dev" ] && exit
> mount_devfs devfs .
# ls -l /jails
lrwxr-x--- 1 root wheel 9 15 sty 21:58 /jails -> usr/jails
# jail_root="/usr/jails"
# jail_dev_dir="/jails/dev"
# cd ${jail_root}
# j_root=`pwd`
# echo $j_root
/usr/jails
# cd ${jail_dev_dir}
# j_dev=`pwd`
# echo $j_dev
/jails/dev
# eval evil_doer=\$\{j_dev#${j_root}\}
# echo $evil_doer
/jails/dev
# [ "$evil_doer" = "$j_dev" ] && echo "false positive"
false positive
In other words, it may break existing configurations.
> To do the same with console.log (I _really_ like this feature and would
> want it re-enabled asap) you can use something like:
>
> cd ${jail_root}
> j_root=`pwd`
> cd ${jail_var_log_dir}
> j_var_log=`pwd`
> eval evil_doer=\$\{j_var_log#${j_root}\}
> [ "$evil_doer" = "$j_var_log" ] && exit
--> Race <--
> cp -f ${temp_log} console.log
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070115/3012dcdf/attachment.pgp
More information about the freebsd-security
mailing list