sysrc(8) -- a sysctl(8)-like utility for managing rc.conf(5)

Pawel Jakub Dawidek pjd at FreeBSD.org
Wed Oct 20 10:01:23 UTC 2010 

On Tue, Oct 19, 2010 at 07:12:49PM -0700, Devin Teske wrote:
> On Tue, 2010-10-19 at 21:52 +0200, Pawel Jakub Dawidek wrote:
> > On Tue, Oct 19, 2010 at 10:50:29AM -0700, Devin Teske wrote:
> > > I added `-j jail' for specifying a jail id or name to operate within
> > > (requires jls(8); overrides `-R dir').
> > [...]
> > 
> > Note that operating on jail files from outside a jail is serious
> > security problem. The files from within the jail can be symbolic links
> > that point to files from outside a jail from your perspective.  Even
> > chroot(2) to jail's root is neither safe (running applications that can
> > be modified by jail's root is obvious security hole) nor reliable (jail
> > might not have all the commands). The only safe way is to jexec(8) into
> > a jail, but it of course has the same relialability issue as chroot(8).
> > 
> 
> I see the concern, and you're absolutely right.
> 
> I did see the need to use either chroot(8) or jexec(8), but for exactly
> the same reasons you mention (handing execution off-to something that
> could have been modified by the jail's root-user), I ended up writing
> routines that just edited the files outside the jail.
> 
> It appears that (due to the other aforementioned security problem,
> involving hand-crafted symbolic links with malicious-intent), the only
> proper solution would be:
> 
> a. Copy ourselves into some temporary location within the jail
> b. Hand execution off to ourself using either jexec(8) or chroot(8)
> 
> And in doing that, we'll be properly jailed so that no matter the attack
> vector, we'll be covered via the kernel's built-in protection.
> 
> How does that sound?

Well, first of all you need to verify that $ROOTDIR/tmp/ is not a
symbolic link (you can use realpath(1) for that). Then when you copy a
file to $ROOTDIR/tmp/ you must be sure there is no symbolic link under
the same name, as cp(1) will follow symblic link and you can end up
overwriting eg. /etc/spwd.db with /bin/ls. I think it will be easier to
just create random directory in $ROOTDIR/tmp/. This all must be done of
course when jail is turned off. Anoher issue to consider is that you
have to copy statically linked utilities - dynamically linked programs
will use libraries from within a jail, which might not be there and
might not be trusted. Also for this reason I'd forget about chroot(8) -
even if you remember about libraries, there might still be malicious
configuration files, etc. so jexec(8) is the only option. I, for one,
use read-only root file systems for jails, maybe it would be good to
check for that if you want to copy stuff over (/tmp/ is still writable).

Please note, that all this is very risky still. I don't know if warned
you about all possible problems. I'm also not a fun of copying stuff
over into jails - this isn't pretty and also it is a problem to clean up
(think about system crash in the middle of your operation). Maybe it
will be wiser to just limit your script to operate within
fully-populated jails, so that you can always call 'jexec <jid> sysrc'?

-- 
Pawel Jakub Dawidek                       http://www.wheelsystems.com
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-rc/attachments/20101020/64abda24/attachment.pgp

More information about the freebsd-rc mailing list