[Bug 210049] jails & the default lo0 127.0.0.1 loopback interface

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Jun 5 13:19:00 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049

            Bug ID: 210049
           Summary: jails & the default  lo0 127.0.0.1 loopback interface
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: qjail1 at a1poweruser.com

The undocumented behavior of non-vimage jails populated with an port or pkg
that defaults to communicating over the lo0 127.0.0.1 loopback interface is to
simply map it over with the jails defined primary IP address. This default jail
behavior exposes that port/pkg to all the traffic entering the jail over its
primary IP address whether from the LAN or public network. This is a security
issue. 

This is not the behavior of 127.0.0.1 as defined in [RFC1700, page 5] which
states  "127.0.0.0/8 - This block is assigned for use as the Internet host  
loopback address. A datagram sent by a higher level protocol to an address
anywhere within this block should loop back inside the host."  In a jails case
the word "host" would also mean "jail".

The administrators of such jails have to manually activate loopback by adding
lo0:127.0.0.x to the jails ip4_addr parameter value alone with the jails
primary IP address. Then manually change the conf file of all the applications
running in that jail to use that lo0 127.0.0.x IP address. Or an alternate is
to add a statement to the hosts rc.conf to clone the lo0 interface and them
code as above. This means each jail has a unique loopback ip address. 

This manual work around is not documented and should not be necessary. The
non-vimage jail should just handle loopback localhost by default. The kernel
lo0 interface needs to be made jail aware.

This issue has been recently discussed with James Gritton jamie at freebsd.org and
he agrees its time to address this long outstanding security issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list