HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Dmitry Frolov
frolov at riss-telecom.ru
Wed Jan 17 10:11:11 UTC 2007
* Colin Percival <cperciva at freebsd.org> [12.01.2007 06:53]:
> Hello Everyone,
>
> I usually let security advisories speak for themselves, but I want to call
> special attention to this one: If you use jails, READ THE ADVISORY, in
> particular the "NOTE WELL" part below; and if you have problems after applying
> the security patch, LET US KNOW -- we do everything we can to make sure
> that security updates will never cause problems, but in this case we could
> not fix the all of the security issues without either making assumptions
> about how systems are configured or reducing functionality.
>
> In the end we opted to reduce functionality (the jail startup process is
> no longer logged to /var/log/console.log inside the jail), make an assumption
> about how systems are configured (filesystems which are mounted via per-jail
> fstab files should not be mounted on symlinks -- if you do this, adjust your
> fstab files to give the real, non-symlinked, path to the mount point), and
> leave a potential security problem unfixed (if you mount any filesystems via
> per-jail fstab files on mount points which are visible within multiple jails,
> there are problems -- don't do this).
>
> While this is not ideal, this security issue was extraordinarily messy due to
> the power and flexibility of the jails and the jail rc.d script. I can't
> recall any other time when the security team has spent this long trying to
> find a working patch for a security issue. I'd like to publicly thank Simon
> Nielsen for the many many hours he spent working on this issue, as well as
> the release engineering team for being very patient with us and delaying the
> upcoming release to give us time to fix this.
The other approach to write log file safely is to do it from the process
running inside a jail.
As an example, there is a ports/sysutils/jailer that does that (with
small modification). Here are small patches that fix it to work on
FBSD > 4 and allows it to write to log file instead of console:
http://kaya.nov.net/frol/patches/jailer-1.1.2-fbsd5-console.diff
http://kaya.nov.net/frol/patches/jailer-1.1.2-injail-sysctl.diff
wbr&w, dmitry.
--
Dmitry Frolov <frolov at riss-telecom.ru>
RISS-Telecom Network, Novosibirsk, Russia
66415911 at ICQ, +7 383 2278800, DVF-RIPE
More information about the freebsd-stable
mailing list