Re: jail exec.clean busted in 12?
On Tue, Sep 11, 2018 at 06:55:56PM -0400, Shawn Webb wrote: > On Tue, Sep 11, 2018 at 03:58:02PM -0400, Michael W. Lucas wrote: > > > > Hi, > > > > storm~;uname -a > > FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep 6 > > 12:29:00 EDT 2018 root@storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC > > amd64 > > > > It appears that exec.clean is busted. Here's my jail.conf: > > > > --- > > > > $j="/jail"; > > path="$j/$name"; > > host.hostname="$name.mwl.io"; > > > > mount.devfs; > > exec.clean=0; > > exec.start="sh /etc/rc"; > > exec.stop="sh /etc/rc.shutdown"; > > > > loghost { > > ip4.addr="203.0.113.231"; > > allow.raw_sockets=1; > > jid=99; > > } > > > > logdb { > > host.hostname="logdb.mwl.io"; > > ip4.addr="203.0.113.232"; > > } > > > > --- > > > > exec.clean is not explicitly defined on the command line, but it's the > > default, so it maybe shouldn't be? > > > > storm~;jls -n > > devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable > > jid=8 linux=new name=logdb osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 > > path=/jail/logdb nopersist securelevel=-1 sysvmsg=disable sysvsem=disable > > sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount > > allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs > > allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs > > allow.mount.nozfs allow.noquotas allow.noraw_sockets allow.reserved_ports > > allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 > > children.max=0 cpuset.id=6 host.domainname="" host.hostid=0 > > host.hostname=logdb.mwl.io > > host.hostuuid=---- ip4.addr=203.0.113.232 > > ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux > > linux.osrelease=2.6.32 linux.oss_version=198144 > > devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable > > jid=99 linux=new name=loghost osreldate=1200084 osrelease=12.0-ALPHA4 > > parent=0 path=/jail/loghost nopersist securelevel=-1 sysvmsg=disable > > sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock > > allow.nomount allow.mount.nodevfs allow.mount.nofdescfs > > allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs > > allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets > > allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc > > children.cur=0 children.max=0 cpuset.id=7 host.domainname="" host.hostid=0 > > host.hostname=loghost.mwl.io > > host.hostuuid=---- ip4.addr=203.0.113.231 > > ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux > > linux.osrelease=2.6.32 linux.oss_version=198144 > > > > Anyway, I found this by: > > > > # jexec loghost env > > HOME=/home/mwlucas > > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/mwlucas/bin > > TERM=xterm > > LC_COLLATE=C > > LANG=en_US.UTF-8 > > SSH_CLIENT=203.0.113.70 59076 22 > > SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22 > > SSH_TTY=/dev/pts/2 > > SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492 > > LC_CTYPE=en_US.ISO-8859-1 > > MAIL=/var/mail/root > > ... > > > > I'm highly confident my SSH environment shouldn't be in the jail. Yes, > > it goes away if I add -l, but my (admittedly sketchy) reading of the > > jexec source says that jexec handles stripping the environment before > > running the command. > > > > Even if I start it the hard way (from a discussion at > > https://github.com/iocage/iocage/issues/610) > > > > storm~;jail -c path=/jail/loghost/ host.hostname=loghost exec.clean=1 > > persist > > storm~;jls > >JID IP Address Hostname Path > > 9 loghost /jail/loghost > > > > storm~;jexec 9 env | grep -i ssh > > SSH_CLIENT=203.0.113.70 59076 22 > > SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22 > > SSH_TTY=/dev/pts/2 > > SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492 > > storm~; > > > > Any ideas? > > Hey Michael, > > It appears the jail.exec option is for jail(8) only. Ah, okay. Thanks. Not obvious, but makes sense. (So you can run your dirty environment in the jail through jexec? Cool.) ==ml > You need to pass > the -l option to jexec(8) to sanitize the environment. > > Thanks, > > -- > Shawn Webb > Cofounder and Security Engineer > HardenedBSD > > Tor-ified Signal:+1 443-546-8752 > Tor+XMPP+OTR:latt...@is.a.hacker.sx > GPG Key ID: 0x6A84658F52456EEE > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE -- Michael W. Lucashttps://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: jail exec.clean busted in 12?
On Tue, Sep 11, 2018 at 03:58:02PM -0400, Michael W. Lucas wrote: > > Hi, > > storm~;uname -a > FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep 6 > 12:29:00 EDT 2018 root@storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC > amd64 > > It appears that exec.clean is busted. Here's my jail.conf: > > --- > > $j="/jail"; > path="$j/$name"; > host.hostname="$name.mwl.io"; > > mount.devfs; > exec.clean=0; > exec.start="sh /etc/rc"; > exec.stop="sh /etc/rc.shutdown"; > > loghost { > ip4.addr="203.0.113.231"; > allow.raw_sockets=1; > jid=99; > } > > logdb { > host.hostname="logdb.mwl.io"; > ip4.addr="203.0.113.232"; > } > > --- > > exec.clean is not explicitly defined on the command line, but it's the > default, so it maybe shouldn't be? > > storm~;jls -n > devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable > jid=8 linux=new name=logdb osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 > path=/jail/logdb nopersist securelevel=-1 sysvmsg=disable sysvsem=disable > sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount > allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs > allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs > allow.mount.nozfs allow.noquotas allow.noraw_sockets allow.reserved_ports > allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 > children.max=0 cpuset.id=6 host.domainname="" host.hostid=0 > host.hostname=logdb.mwl.io host.hostuuid=---- > ip4.addr=203.0.113.232 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux > linux.osrelease=2.6.32 linux.oss_version=198144 > devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable > jid=99 linux=new name=loghost osreldate=1200084 osrelease=12.0-ALPHA4 > parent=0 path=/jail/loghost nopersist securelevel=-1 sysvmsg=disable > sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock > allow.nomount allow.mount.nodevfs allow.mount.nofdescfs > allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs > allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets > allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc > children.cur=0 children.max=0 cpuset.id=7 host.domainname="" host.hostid=0 > host.hostname=loghost.mwl.io > host.hostuuid=---- ip4.addr=203.0.113.231 > ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 > linux.oss_version=198144 > > Anyway, I found this by: > > # jexec loghost env > HOME=/home/mwlucas > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/mwlucas/bin > TERM=xterm > LC_COLLATE=C > LANG=en_US.UTF-8 > SSH_CLIENT=203.0.113.70 59076 22 > SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22 > SSH_TTY=/dev/pts/2 > SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492 > LC_CTYPE=en_US.ISO-8859-1 > MAIL=/var/mail/root > ... > > I'm highly confident my SSH environment shouldn't be in the jail. Yes, > it goes away if I add -l, but my (admittedly sketchy) reading of the > jexec source says that jexec handles stripping the environment before > running the command. > > Even if I start it the hard way (from a discussion at > https://github.com/iocage/iocage/issues/610) > > storm~;jail -c path=/jail/loghost/ host.hostname=loghost exec.clean=1 persist > storm~;jls >JID IP Address Hostname Path > 9 loghost /jail/loghost > > storm~;jexec 9 env | grep -i ssh > SSH_CLIENT=203.0.113.70 59076 22 > SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22 > SSH_TTY=/dev/pts/2 > SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492 > storm~; > > Any ideas? Hey Michael, It appears the jail.exec option is for jail(8) only. You need to pass the -l option to jexec(8) to sanitize the environment. Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal:+1 443-546-8752 Tor+XMPP+OTR:latt...@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE signature.asc Description: PGP signature
jail exec.clean busted in 12?
Hi, storm~;uname -a FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep 6 12:29:00 EDT 2018 root@storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 It appears that exec.clean is busted. Here's my jail.conf: --- $j="/jail"; path="$j/$name"; host.hostname="$name.mwl.io"; mount.devfs; exec.clean=0; exec.start="sh /etc/rc"; exec.stop="sh /etc/rc.shutdown"; loghost { ip4.addr="203.0.113.231"; allow.raw_sockets=1; jid=99; } logdb { host.hostname="logdb.mwl.io"; ip4.addr="203.0.113.232"; } --- exec.clean is not explicitly defined on the command line, but it's the default, so it maybe shouldn't be? storm~;jls -n devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable jid=8 linux=new name=logdb osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 path=/jail/logdb nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.noraw_sockets allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=6 host.domainname="" host.hostid=0 host.hostname=logdb.mwl.io host.hostuuid=---- ip4.addr=203.0.113.232 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144 devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable jid=99 linux=new name=loghost osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 path=/jail/loghost nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=7 host.domainname="" host.hostid=0 host.hostname=loghost.mwl.io host.hostuuid=---- ip4.addr=203.0.113.231 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144 Anyway, I found this by: # jexec loghost env HOME=/home/mwlucas PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/mwlucas/bin TERM=xterm LC_COLLATE=C LANG=en_US.UTF-8 SSH_CLIENT=203.0.113.70 59076 22 SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22 SSH_TTY=/dev/pts/2 SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492 LC_CTYPE=en_US.ISO-8859-1 MAIL=/var/mail/root ... I'm highly confident my SSH environment shouldn't be in the jail. Yes, it goes away if I add -l, but my (admittedly sketchy) reading of the jexec source says that jexec handles stripping the environment before running the command. Even if I start it the hard way (from a discussion at https://github.com/iocage/iocage/issues/610) storm~;jail -c path=/jail/loghost/ host.hostname=loghost exec.clean=1 persist storm~;jls JID IP Address Hostname Path 9 loghost /jail/loghost storm~;jexec 9 env | grep -i ssh SSH_CLIENT=203.0.113.70 59076 22 SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22 SSH_TTY=/dev/pts/2 SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492 storm~; Any ideas? Thanks, ==ml -- Michael W. Lucashttps://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"