HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail

Dmitry Frolov frolov at riss-telecom.ru
Wed Jan 17 10:11:11 UTC 2007

* Colin Percival <cperciva at freebsd.org> [12.01.2007 06:53]:

> Hello Everyone,
> I usually let security advisories speak for themselves, but I want to call
> special attention to this one: If you use jails, READ THE ADVISORY, in
> particular the "NOTE WELL" part below; and if you have problems after applying
> the security patch, LET US KNOW -- we do everything we can to make sure
> that security updates will never cause problems, but in this case we could
> not fix the all of the security issues without either making assumptions
> about how systems are configured or reducing functionality.
> In the end we opted to reduce functionality (the jail startup process is
> no longer logged to /var/log/console.log inside the jail), make an assumption
> about how systems are configured (filesystems which are mounted via per-jail
> fstab files should not be mounted on symlinks -- if you do this, adjust your
> fstab files to give the real, non-symlinked, path to the mount point), and
> leave a potential security problem unfixed (if you mount any filesystems via
> per-jail fstab files on mount points which are visible within multiple jails,
> there are problems -- don't do this).
> While this is not ideal, this security issue was extraordinarily messy due to
> the power and flexibility of the jails and the jail rc.d script.  I can't
> recall any other time when the security team has spent this long trying to
> find a working patch for a security issue.  I'd like to publicly thank Simon
> Nielsen for the many many hours he spent working on this issue, as well as
> the release engineering team for being very patient with us and delaying the
> upcoming release to give us time to fix this.

The other approach to write log file safely is to do it from the process
running inside a jail.

As an example, there is a ports/sysutils/jailer that does that (with
small modification).  Here are small patches that fix it to work on
FBSD > 4 and allows it to write to log file instead of console:


    wbr&w, dmitry.
Dmitry Frolov <frolov at riss-telecom.ru>
RISS-Telecom Network, Novosibirsk, Russia
66415911 at ICQ, +7 383 2278800, DVF-RIPE

More information about the freebsd-stable mailing list