On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote: > Hello Everyone, > > I usually let security advisories speak for themselves, but I want to call > special attention to this one: If you use jails, READ THE ADVISORY, in > particular the "NOTE WELL" part below; and if you have problems after applying > the security patch, LET US KNOW -- we do everything we can to make sure > that security updates will never cause problems, but in this case we could > not fix the all of the security issues without either making assumptions > about how systems are configured or reducing functionality. > > In the end we opted to reduce functionality (the jail startup process is > no longer logged to /var/log/console.log inside the jail), make an assumption > about how systems are configured (filesystems which are mounted via per-jail > fstab files should not be mounted on symlinks -- if you do this, adjust your > fstab files to give the real, non-symlinked, path to the mount point), and > leave a potential security problem unfixed (if you mount any filesystems via > per-jail fstab files on mount points which are visible within multiple jails, > there are problems -- don't do this).
I don't like the way it was fixed. I do know it wasn't easy to fix.
I don't like it because it breaks almost all my current jails, because I
often use /jails/ paths in fstabs, which is actually a symlink to
/usr/jails/.
What I'd like to suggest, which seems much better way to fix the problem
is:
1. Apply the patch:
http://people.freebsd.org/~pjd/patches/realpath.patch
2. Find full path to jail's root with `realpath $_rootdir`.
3. Take first entry from /etc/fstab.<name>, for example we have a
mount-point /usr/jails/foo/usr/lib in there. Run `realpath /usr'
and compare with $_rootfulldir, if doesn't match, run `realpath
/usr/jails` and compare, if doesn't match take next path component
until we find a match.
When a match is found, what's left out is a mount-point inside a jail,
eg. '/usr/lib'. Now, run real=`realpath -c $_rootdir /usr/lib`, which
will give us full path inside a jail.
Then, we need to mount file system on $_rootdir/$real.
4. Repeat 3 for each fstab entry.
With this approch one can use symlinks in any mount-point component.
The whole complexity in point 3, is because people can have jail's root
configured as '/usr/jails/foo', but use '/jails/foo' prefix for
mount-points.
I'll keep /var/log/console.log outside a jail, because using
'realpath -c' will be dangerous once the jail is running. There could be
a race where `realpath -c` returns one path, an attacker inside a jail
changes one of resolved path's component and rc.d/jail from outside a
jail tries to use it.
--
Pawel Jakub Dawidek http://www.wheel.pl
[EMAIL PROTECTED] http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
pgpToYrOw36TQ.pgp
Description: PGP signature
