HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Alexander Leidinger
Alexander at Leidinger.net
Tue Jan 16 09:44:07 UTC 2007
Quoting Pawel Jakub Dawidek <pjd at FreeBSD.org> (from Tue, 16 Jan 2007
09:42:43 +0100):
> good-guy attacker-within-a-jail
>
> cd /jail/var/log
> mktemp foo.XXX
> rm -f foo.XXX
> ln -s /etc/spwd.db foo.XXX
> copy /path/to/jail_console.log foo.XXX
> mv -f foo.XXX console.log
I did not have time to look at how the console part is handled. But
out of the blue I would assume the console.log is created before the
jail is started. Like:
- check if console.log is a file which we are allowed to
overwrite (no symlink pointing outside the jail)
- bail out if it points outside the jail or prefix the jail
base directory to the resulting path if it is a link
- (echo "Starting $(date)"; start_jail) >>${console.log}
The echo is there to make sure it exists and the subshell
to make sure the file is not closed. This assumes the output
is not more than line buffered (it isn't here on Solaris 10
with zsh).
Why can't we do it like this?
Bye,
Alexander.
--
" "
-- Charlie Chaplin
" "
-- Harpo Marx
" "
-- Marcel Marceau
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
More information about the freebsd-security
mailing list