Closing information leaks in jails?

Attila Nagy bra at fsn.hu
Fri Aug 19 08:20:33 GMT 2005 

Nate Nielsen wrote:
> For me this only shows the alias assigned to the jail.
You are right.

>>- full dmesg output after boot and the kernel buffer when it overflows
>>(can contain sensitive information)
> Yes, this is important. Use:
> sysctl -w security.bsd.unprivileged_read_msgbuf=0
Hmm, thanks, that was a new info for me.

> only shows connections to the current jail. It does show the output from
> 'netstat -m' and those sort of things, but those say nothing over the
> network load of the current machine.
Yes, they are not that critical.

>>- information about configured swap space via swapinfo
> Not sure I see how this could be used against you.
Nothing bad, but I can imagine a situation where the operator of the 
host machine wants to hide everything about the real specifications. For 
example if the machine is overbooked and the swap is lightly or heavily 
used, etc.

>>- NFS related statistics via nfsstat
> Again only statistics. Not sure how this is a problem.
For me, they are not, just another thing, which could be guessed about 
the host and not the jail (if I am right).

>>- a lot of interesting stuff via sysctl
> Yes, there's a lot there, but a lot *is* filtered out in a jail.
Yep.

> My suggestion would be to file bugs one by one for each piece of
> information that causes you concern along with the reasoning of why that
> information is dangerous or sensitive.
The biggest issue for me was dmesg and the ARP table. All of the others 
were there, because I wanted to know, what else could an unprivileged 
user guess about the host.

I will open a PR with the ARP table issue.

> The FreeBSD developers have been atentive to these things, and have
> added functionality in almost each release to minimize information
> available in a jail. So pointing specific issues out will probably get
> good results.
Yes, last time I checked these, the user in a jail could list all of the 
mounted file systems. Now it is less chatty. :)

Thanks,

-- 
Attila Nagy                                   e-mail: Attila.Nagy at fsn.hu
Adopt a directory on our free software   phone @work: +361 371 3536
server! http://www.fsn.hu/?f=brick             cell.: +3630 306 6758

More information about the freebsd-security mailing list