Quoting Pawel Jakub Dawidek <[EMAIL PROTECTED]> (from Tue, 16 Jan 2007
09:42:43 +0100):
good-guy attacker-within-a-jail
cd /jail/var/log
mktemp foo.XXX
rm -f foo.XXX
ln -s /etc/spwd.db foo.XXX
copy /path/to/jail_console.log foo.XXX
mv -f foo.XXX console.log
I did not have time to look at how the console part is handled. But
out of the blue I would assume the console.log is created before the
jail is started. Like:
- check if console.log is a file which we are allowed to
overwrite (no symlink pointing outside the jail)
- bail out if it points outside the jail or prefix the jail
base directory to the resulting path if it is a link
- (echo "Starting $(date)"; start_jail) >>${console.log}
The echo is there to make sure it exists and the subshell
to make sure the file is not closed. This assumes the output
is not more than line buffered (it isn't here on Solaris 10
with zsh).
Why can't we do it like this?
Bye,
Alexander.
--
" "
-- Charlie Chaplin
" "
-- Harpo Marx
" "
-- Marcel Marceau
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
