Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD
Security Advisory FreeBSD-SA-07:01.jail]
Pawel Jakub Dawidek
pjd at FreeBSD.org
Tue Jan 23 11:35:34 UTC 2007
On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote:
> Quoting Pawel Jakub Dawidek <pjd at FreeBSD.org> (Sat, 20 Jan 2007 14:03:08 +0100):
>
> > I fully agree that console.log should be outside a jail. At least noone
> > proposed safe solution so far, which also means it's not an easy fix.
>
> What's unsafe about my proposal? I did had a look at the code now, and
> it should work (with minor mods).
>
> Original:
> ---snip---
> _tmp_jail=${_tmp_dir}/jail.$$
> eval jail ${_flags} -i ${_rootdir} ${_hostname} \
> ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1
>
> if [ "$?" -eq 0 ] ; then
> _jail_id=$(head -1 ${_tmp_jail})
> i=1
> while [ true ]; do
> eval out=\"\${_exec_afterstart${i}:-''}\"
>
> if [ -z "$out" ]; then
> break;
> fi
>
> jexec "${_jail_id}" ${out}
> i=$((i + 1))
> done
>
> echo -n " $_hostname"
> tail +2 ${_tmp_jail} >${_consolelog}
> echo ${_jail_id} > /var/run/jail_${_jail}.id
> ---snip---
>
> Pseudocode proposal, not tested (changes prefixed with 'x'):
> ---snip---
> _tmp_jail=${_tmp_dir}/jail.$$
> x # assuming safe _consolelog (inside chroot) according
> to the
> x # previous mails here in the thread
> x eval (echo "" ; \
> x jail ${_flags} -I /var/run/jail_${_jail}.id \
> x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
> x > ${_consolelog} 2>&1
>
> if [ "$?" -eq 0 ] ; then
> x _jail_id=$(cat /var/run/jail_${_jail}.id)
> i=1
> while [ true ]; do
> eval out=\"\${_exec_afterstart${i}:-''}\"
>
> if [ -z "$out" ]; then
> break;
> fi
>
> jexec "${_jail_id}" ${out}
> i=$((i + 1))
> done
>
> echo -n " $_hostname"
> x
> x
> ---snip---
>
> Repeating my points:
> - sanitize the consolelog path like discussed in this thread
> - the jail is not running, so nobody can create a link (jail
> root within FS space of another jail still prohibited)
> - subshell to group echo and jail
> - 'echo ""' to make sure the file exists when the jail starts
> - (new) additional flag to jail to write a jid file
> - redirect to the consolelog, it is still open from the echo
> when the jail starts so there's no race
>
> I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it
> is line buffered, so the above works.
>
> Where's the security problem in the above?
It looks like it may work, but I still find it a bit risky. If sh(1) can
reopen the file under some conditions or someone in the future will
modify sh(1) in that way (because he won't be aware that such a change
may have impact on system security) we will have a security hole.
Chances are small, but I'm not going to be the one who will accept that
change:)
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070123/57a072fd/attachment.pgp
More information about the freebsd-security
mailing list