[Bug 210049] jails & the default lo0 127.0.0.1 loopback interface
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Jun 5 13:19:00 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049
Bug ID: 210049
Summary: jails & the default lo0 127.0.0.1 loopback interface
Product: Base System
Version: 10.3-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: qjail1 at a1poweruser.com
The undocumented behavior of non-vimage jails populated with an port or pkg
that defaults to communicating over the lo0 127.0.0.1 loopback interface is to
simply map it over with the jails defined primary IP address. This default jail
behavior exposes that port/pkg to all the traffic entering the jail over its
primary IP address whether from the LAN or public network. This is a security
issue.
This is not the behavior of 127.0.0.1 as defined in [RFC1700, page 5] which
states "127.0.0.0/8 - This block is assigned for use as the Internet host
loopback address. A datagram sent by a higher level protocol to an address
anywhere within this block should loop back inside the host." In a jails case
the word "host" would also mean "jail".
The administrators of such jails have to manually activate loopback by adding
lo0:127.0.0.x to the jails ip4_addr parameter value alone with the jails
primary IP address. Then manually change the conf file of all the applications
running in that jail to use that lo0 127.0.0.x IP address. Or an alternate is
to add a statement to the hosts rc.conf to clone the lo0 interface and them
code as above. This means each jail has a unique loopback ip address.
This manual work around is not documented and should not be necessary. The
non-vimage jail should just handle loopback localhost by default. The kernel
lo0 interface needs to be made jail aware.
This issue has been recently discussed with James Gritton jamie at freebsd.org and
he agrees its time to address this long outstanding security issue.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list