Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

Alexander Leidinger Alexander at Leidinger.net
Sat Jan 20 14:24:41 UTC 2007 

Quoting Pawel Jakub Dawidek <pjd at FreeBSD.org> (Sat, 20 Jan 2007 14:03:08 +0100):

> I fully agree that console.log should be outside a jail. At least noone
> proposed safe solution so far, which also means it's not an easy fix.

What's unsafe about my proposal? I did had a look at the code now, and
it should work (with minor mods).

Original:
---snip---
                _tmp_jail=${_tmp_dir}/jail.$$
                eval jail ${_flags} -i ${_rootdir} ${_hostname} \
                        ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1

                if [ "$?" -eq 0 ] ; then
                        _jail_id=$(head -1 ${_tmp_jail})
                        i=1
                        while [ true ]; do
                                eval out=\"\${_exec_afterstart${i}:-''}\"

                                if [ -z "$out" ]; then
                                        break;
                                fi

                                jexec "${_jail_id}" ${out}
                                i=$((i + 1))
                        done

                        echo -n " $_hostname"
                        tail +2 ${_tmp_jail} >${_consolelog}
                        echo ${_jail_id} > /var/run/jail_${_jail}.id
---snip---

Pseudocode proposal, not tested (changes prefixed with 'x'):
---snip---
                _tmp_jail=${_tmp_dir}/jail.$$
x               # assuming safe _consolelog (inside chroot) according
to the
x               # previous mails here in the thread
x		eval (echo "" ; \
x                       jail ${_flags} -I /var/run/jail_${_jail}.id \
x                       ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
x                       > ${_consolelog} 2>&1

                if [ "$?" -eq 0 ] ; then
x                       _jail_id=$(cat /var/run/jail_${_jail}.id)
                        i=1
                        while [ true ]; do
                                eval out=\"\${_exec_afterstart${i}:-''}\"

                                if [ -z "$out" ]; then
                                        break;
                                fi

                                jexec "${_jail_id}" ${out}
                                i=$((i + 1))
                        done

                        echo -n " $_hostname"
x
x
---snip---

Repeating my points:
 - sanitize the consolelog path like discussed in this thread
 - the jail is not running, so nobody can create a link (jail
   root within FS space of another jail still prohibited)
 - subshell to group echo and jail
 - 'echo ""' to make sure the file exists when the jail starts
 - (new) additional flag to jail to write a jid file
 - redirect to the consolelog, it is still open from the echo
   when the jail starts so there's no race

I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it
is line buffered, so the above works.

Where's the security problem in the above?

Bye,
Alexander.

-- 
I wore my extra loose pants for nothing.  Nothing!

       		-- Homer Simpson
		   New Kid on the Block
http://www.Leidinger.net  Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org     netchild @ FreeBSD.org  : PGP ID = 72077137

More information about the freebsd-security mailing list