bin/173469: [jail] regression: security.jail.sysvipc_allowed=1 no longer respected
Anton Yuzhaninov
ayuzhaninov at openstat.ru
Thu Nov 8 10:50:01 UTC 2012
>Number: 173469
>Category: bin
>Synopsis: [jail] regression: security.jail.sysvipc_allowed=1 no longer respected
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 08 10:50:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Anton Yuzhaninov
>Release: FreeBSD 8.3-STABLE-20121101 amd64
>Organization:
>Environment:
System: FreeBSD crw02.mgmt.vega.ru 8.3-STABLE-20121101 FreeBSD 8.3-STABLE-20121101 #0: Thu Nov 1 00:25:48 UTC 2012 root at aleph.mgmt.vega.ru:/usr/obj/usr/src/sys/MGMT amd64
>Description:
After http://svn.freebsd.org/changeset/base/242083 our configuration is broken.
Despite sysctl security.jail.sysvipc_allowed=1 jail started with sysvipc disabled.
Adding jail_sysvipc_allow="YES" to /etc/rc.conf also don't help.
>How-To-Repeat:
sysctl security.jail.sysvipc_allowed=1
start jail using /etc/rc.d/jail without additional parameters.
jls -n will show
allow.nosysvipc
>Fix:
This problem caused by combination of two different changes:
1. In jail(8) command was implemented 'new mode', with support of name=value parameters.
Access to System V IPC is controlled by allow.sysvipc parameter, default to disable (allow.nosysvipc)
and this default is don't depend on sysctl security.jail.sysvipc_allowed.
With new mode jail(8), sysctl security.jail.sysvipc_allowed seems to be unused.
With old mode jail(8) invocation, sysctl security.jail.sysvipc_allowed still
can control access to System V IPC from jails.
2. In r242083 /etc/rc.d/jail was switched to new-style and nor sysctl security.jail.sysvipc_allowed nor
jail_sysvipc_allow="YES" in /etc/rc.conf affects allow.sysvipc jail parameter.
After r242083 it is possible to add jail_example_parameters="allow.sysvipc=1" to rc.conf for single jail,
but it is no longer possible to set default for all jails.
There is two possible decisions for this problem:
1. Fix jail(8) or jail(2) to respect sysctl security.jail.sysvipc_allowed=1
2. If there is plan to completely remove sysctl security.jail.sysvipc_allowed in future (POLA already has broken after r242083),
it is better to change /etc/rc.d/jail to add allow.sysvipc parameter to jail(8) if exist jail_sysvipc_allow="YES" in rc.conf
and there is no parameters like jail_example_parameters="allow.nosysvipc=1" or jail_example_parameters="allow.sysvipc=0" to
override default.
I'm prefer 1st fix.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list