HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail

Pawel Jakub Dawidek pjd at FreeBSD.org
Sat Jan 13 11:48:47 UTC 2007 

On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote:
> Hello Everyone,
> 
> I usually let security advisories speak for themselves, but I want to call
> special attention to this one: If you use jails, READ THE ADVISORY, in
> particular the "NOTE WELL" part below; and if you have problems after applying
> the security patch, LET US KNOW -- we do everything we can to make sure
> that security updates will never cause problems, but in this case we could
> not fix the all of the security issues without either making assumptions
> about how systems are configured or reducing functionality.
> 
> In the end we opted to reduce functionality (the jail startup process is
> no longer logged to /var/log/console.log inside the jail), make an assumption
> about how systems are configured (filesystems which are mounted via per-jail
> fstab files should not be mounted on symlinks -- if you do this, adjust your
> fstab files to give the real, non-symlinked, path to the mount point), and
> leave a potential security problem unfixed (if you mount any filesystems via
> per-jail fstab files on mount points which are visible within multiple jails,
> there are problems -- don't do this).

I don't like the way it was fixed. I do know it wasn't easy to fix.
I don't like it because it breaks almost all my current jails, because I
often use /jails/ paths in fstabs, which is actually a symlink to
/usr/jails/.

What I'd like to suggest, which seems much better way to fix the problem
is:

1. Apply the patch:

	http://people.freebsd.org/~pjd/patches/realpath.patch

2. Find full path to jail's root with `realpath $_rootdir`.

3. Take first entry from /etc/fstab.<name>, for example we have a
   mount-point /usr/jails/foo/usr/lib in there. Run `realpath /usr'
   and compare with $_rootfulldir, if doesn't match, run `realpath
   /usr/jails` and compare, if doesn't match take next path component
   until we find a match.
   When a match is found, what's left out is a mount-point inside a jail,
   eg. '/usr/lib'. Now, run real=`realpath -c $_rootdir /usr/lib`, which
   will give us full path inside a jail.
   Then, we need to mount file system on $_rootdir/$real.

4. Repeat 3 for each fstab entry.

With this approch one can use symlinks in any mount-point component.

The whole complexity in point 3, is because people can have jail's root
configured as '/usr/jails/foo', but use '/jails/foo' prefix for
mount-points.

I'll keep /var/log/console.log outside a jail, because using
'realpath -c' will be dangerous once the jail is running. There could be
a race where `realpath -c` returns one path, an attacker inside a jail
changes one of resolved path's component and rc.d/jail from outside a
jail tries to use it.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070113/718168e8/attachment.pgp

More information about the freebsd-security mailing list