HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail

Pawel Jakub Dawidek pjd at FreeBSD.org
Mon Jan 15 21:09:07 UTC 2007 

On Mon, Jan 15, 2007 at 08:56:44PM +0100, Dirk Engling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Pawel Jakub Dawidek wrote:
> 
> > I'll keep /var/log/console.log outside a jail, because using
> > 'realpath -c' will be dangerous once the jail is running. There could be
> > a race where `realpath -c` returns one path, an attacker inside a jail
> > changes one of resolved path's component and rc.d/jail from outside a
> > jail tries to use it.
> 
> A simple way to prevent race conditions (here an example to mount devfs
> into jails) is:
> 
> cd ${jail_root}
> j_root=`pwd`
> cd ${jail_dev_dir}
> j_dev=`pwd`
> eval evil_doer=\$\{j_dev#${j_root}\}
> [ "$evil_doer" = "$j_dev" ] && exit
> mount_devfs devfs .

	# ls -l /jails
	lrwxr-x---  1 root  wheel  9 15 sty 21:58 /jails -> usr/jails
	# jail_root="/usr/jails"
	# jail_dev_dir="/jails/dev"
	# cd ${jail_root}
	# j_root=`pwd`
	# echo $j_root
	/usr/jails
	# cd ${jail_dev_dir}
	# j_dev=`pwd`
	# echo $j_dev
	/jails/dev
	# eval evil_doer=\$\{j_dev#${j_root}\}
	# echo $evil_doer
	/jails/dev
	# [ "$evil_doer" = "$j_dev" ] && echo "false positive"
	false positive

In other words, it may break existing configurations.

> To do the same with console.log (I _really_ like this feature and would
> want it re-enabled asap) you can use something like:
> 
> cd ${jail_root}
> j_root=`pwd`
> cd ${jail_var_log_dir}
> j_var_log=`pwd`
> eval evil_doer=\$\{j_var_log#${j_root}\}
> [ "$evil_doer" = "$j_var_log" ] && exit

--> Race <--

> cp -f ${temp_log} console.log

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070115/3012dcdf/attachment.pgp

More information about the freebsd-security mailing list