Re: jail exec.clean busted in 12?

2018-09-11 Thread Michael W. Lucas 
On Tue, Sep 11, 2018 at 06:55:56PM -0400, Shawn Webb wrote:
> On Tue, Sep 11, 2018 at 03:58:02PM -0400, Michael W. Lucas wrote:
> > 
> > Hi,
> > 
> > storm~;uname -a
> > FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep  6 
> > 12:29:00 EDT 2018 root@storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  
> > amd64
> > 
> > It appears that exec.clean is busted. Here's my jail.conf:
> > 
> > ---
> > 
> > $j="/jail";
> > path="$j/$name";
> > host.hostname="$name.mwl.io";
> > 
> > mount.devfs;
> > exec.clean=0;
> > exec.start="sh /etc/rc";
> > exec.stop="sh /etc/rc.shutdown";
> > 
> > loghost {
> >   ip4.addr="203.0.113.231";
> >   allow.raw_sockets=1;
> >   jid=99;
> > }
> > 
> > logdb {
> >   host.hostname="logdb.mwl.io";
> >   ip4.addr="203.0.113.232";
> >   }
> > 
> > ---
> > 
> > exec.clean is not explicitly defined on the command line, but it's the
> > default, so it maybe shouldn't be?
> > 
> > storm~;jls -n
> > devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable 
> > jid=8 linux=new name=logdb osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 
> > path=/jail/logdb nopersist securelevel=-1 sysvmsg=disable sysvsem=disable 
> > sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount 
> > allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs 
> > allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs 
> > allow.mount.nozfs allow.noquotas allow.noraw_sockets allow.reserved_ports 
> > allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 
> > children.max=0 cpuset.id=6 host.domainname="" host.hostid=0 
> > host.hostname=logdb.mwl.io 
> > host.hostuuid=---- ip4.addr=203.0.113.232 
> > ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux 
> > linux.osrelease=2.6.32 linux.oss_version=198144
> > devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable 
> > jid=99 linux=new name=loghost osreldate=1200084 osrelease=12.0-ALPHA4 
> > parent=0 path=/jail/loghost nopersist securelevel=-1 sysvmsg=disable 
> > sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock 
> > allow.nomount allow.mount.nodevfs allow.mount.nofdescfs 
> > allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs 
> > allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets 
> > allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc 
> > children.cur=0 children.max=0 cpuset.id=7 host.domainname="" host.hostid=0 
> > host.hostname=loghost.mwl.io 
> > host.hostuuid=---- ip4.addr=203.0.113.231 
> > ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux 
> > linux.osrelease=2.6.32 linux.oss_version=198144
> > 
> > Anyway, I found this by:
> > 
> > # jexec loghost env
> > HOME=/home/mwlucas
> > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/mwlucas/bin
> > TERM=xterm
> > LC_COLLATE=C
> > LANG=en_US.UTF-8
> > SSH_CLIENT=203.0.113.70 59076 22
> > SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
> > SSH_TTY=/dev/pts/2
> > SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
> > LC_CTYPE=en_US.ISO-8859-1
> > MAIL=/var/mail/root
> > ...
> > 
> > I'm highly confident my SSH environment shouldn't be in the jail. Yes,
> > it goes away if I add -l, but my (admittedly sketchy) reading of the
> > jexec source says that jexec handles stripping the environment before
> > running the command.
> > 
> > Even if I start it the hard way (from a discussion at
> > https://github.com/iocage/iocage/issues/610)
> > 
> > storm~;jail -c path=/jail/loghost/ host.hostname=loghost exec.clean=1 
> > persist
> > storm~;jls
> >JID  IP Address  Hostname  Path
> >  9  loghost   /jail/loghost
> >  
> > storm~;jexec 9 env | grep -i ssh
> > SSH_CLIENT=203.0.113.70 59076 22
> > SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
> > SSH_TTY=/dev/pts/2
> > SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
> > storm~;
> > 
> > Any ideas?
> 
> Hey Michael,
> 
> It appears the jail.exec option is for jail(8) only.

Ah, okay. Thanks. Not obvious, but makes sense.

(So you can run your dirty environment in the jail through jexec? Cool.)

==ml

> You need to pass
> the -l option to jexec(8) to sanitize the environment.
> 
> Thanks,
> 
> -- 
> Shawn Webb
> Cofounder and Security Engineer
> HardenedBSD
> 
> Tor-ified Signal:+1 443-546-8752
> Tor+XMPP+OTR:latt...@is.a.hacker.sx
> GPG Key ID:  0x6A84658F52456EEE
> GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE



-- 
Michael W. Lucashttps://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: jail exec.clean busted in 12?

2018-09-11 Thread Shawn Webb 
On Tue, Sep 11, 2018 at 03:58:02PM -0400, Michael W. Lucas wrote:
> 
> Hi,
> 
> storm~;uname -a
> FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep  6 
> 12:29:00 EDT 2018 root@storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  
> amd64
> 
> It appears that exec.clean is busted. Here's my jail.conf:
> 
> ---
> 
> $j="/jail";
> path="$j/$name";
> host.hostname="$name.mwl.io";
> 
> mount.devfs;
> exec.clean=0;
> exec.start="sh /etc/rc";
> exec.stop="sh /etc/rc.shutdown";
> 
> loghost {
>   ip4.addr="203.0.113.231";
>   allow.raw_sockets=1;
>   jid=99;
> }
> 
> logdb {
>   host.hostname="logdb.mwl.io";
>   ip4.addr="203.0.113.232";
>   }
> 
> ---
> 
> exec.clean is not explicitly defined on the command line, but it's the
> default, so it maybe shouldn't be?
> 
> storm~;jls -n
> devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable 
> jid=8 linux=new name=logdb osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 
> path=/jail/logdb nopersist securelevel=-1 sysvmsg=disable sysvsem=disable 
> sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount 
> allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs 
> allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs 
> allow.mount.nozfs allow.noquotas allow.noraw_sockets allow.reserved_ports 
> allow.set_hostname allow.nosocket_af allow.nosysvipc children.cur=0 
> children.max=0 cpuset.id=6 host.domainname="" host.hostid=0 
> host.hostname=logdb.mwl.io host.hostuuid=---- 
> ip4.addr=203.0.113.232 ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux 
> linux.osrelease=2.6.32 linux.oss_version=198144
> devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable 
> jid=99 linux=new name=loghost osreldate=1200084 osrelease=12.0-ALPHA4 
> parent=0 path=/jail/loghost nopersist securelevel=-1 sysvmsg=disable 
> sysvsem=disable sysvshm=disable vnet=inherit allow.nochflags allow.nomlock 
> allow.nomount allow.mount.nodevfs allow.mount.nofdescfs 
> allow.mount.nolinprocfs allow.mount.nonullfs allow.mount.noprocfs 
> allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets 
> allow.reserved_ports allow.set_hostname allow.nosocket_af allow.nosysvipc 
> children.cur=0 children.max=0 cpuset.id=7 host.domainname="" host.hostid=0 
> host.hostname=loghost.mwl.io 
> host.hostuuid=---- ip4.addr=203.0.113.231 
> ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 
> linux.oss_version=198144
> 
> Anyway, I found this by:
> 
> # jexec loghost env
> HOME=/home/mwlucas
> PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/mwlucas/bin
> TERM=xterm
> LC_COLLATE=C
> LANG=en_US.UTF-8
> SSH_CLIENT=203.0.113.70 59076 22
> SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
> SSH_TTY=/dev/pts/2
> SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
> LC_CTYPE=en_US.ISO-8859-1
> MAIL=/var/mail/root
> ...
> 
> I'm highly confident my SSH environment shouldn't be in the jail. Yes,
> it goes away if I add -l, but my (admittedly sketchy) reading of the
> jexec source says that jexec handles stripping the environment before
> running the command.
> 
> Even if I start it the hard way (from a discussion at
> https://github.com/iocage/iocage/issues/610)
> 
> storm~;jail -c path=/jail/loghost/ host.hostname=loghost exec.clean=1 persist
> storm~;jls
>JID  IP Address  Hostname  Path
>  9  loghost   /jail/loghost
>  
> storm~;jexec 9 env | grep -i ssh
> SSH_CLIENT=203.0.113.70 59076 22
> SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
> SSH_TTY=/dev/pts/2
> SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
> storm~;
> 
> Any ideas?

Hey Michael,

It appears the jail.exec option is for jail(8) only. You need to pass
the -l option to jexec(8) to sanitize the environment.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:+1 443-546-8752
Tor+XMPP+OTR:latt...@is.a.hacker.sx
GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

jail exec.clean busted in 12?

2018-09-11 Thread Michael W. Lucas 


Hi,

storm~;uname -a
FreeBSD storm 12.0-ALPHA4 FreeBSD 12.0-ALPHA4 #10 r338496: Thu Sep  6 12:29:00 
EDT 2018 root@storm:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

It appears that exec.clean is busted. Here's my jail.conf:

---

$j="/jail";
path="$j/$name";
host.hostname="$name.mwl.io";

mount.devfs;
exec.clean=0;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";

loghost {
  ip4.addr="203.0.113.231";
  allow.raw_sockets=1;
  jid=99;
}

logdb {
  host.hostname="logdb.mwl.io";
  ip4.addr="203.0.113.232";
  }

---

exec.clean is not explicitly defined on the command line, but it's the
default, so it maybe shouldn't be?

storm~;jls -n
devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable jid=8 
linux=new name=logdb osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 
path=/jail/logdb nopersist securelevel=-1 sysvmsg=disable sysvsem=disable 
sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount 
allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs 
allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs 
allow.noquotas allow.noraw_sockets allow.reserved_ports allow.set_hostname 
allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=6 
host.domainname="" host.hostid=0 host.hostname=logdb.mwl.io 
host.hostuuid=---- ip4.addr=203.0.113.232 
ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 
linux.oss_version=198144
devfs_ruleset=0 nodying enforce_statfs=2 host=new ip4=disable ip6=disable 
jid=99 linux=new name=loghost osreldate=1200084 osrelease=12.0-ALPHA4 parent=0 
path=/jail/loghost nopersist securelevel=-1 sysvmsg=disable sysvsem=disable 
sysvshm=disable vnet=inherit allow.nochflags allow.nomlock allow.nomount 
allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs 
allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs 
allow.noquotas allow.raw_sockets allow.reserved_ports allow.set_hostname 
allow.nosocket_af allow.nosysvipc children.cur=0 children.max=0 cpuset.id=7 
host.domainname="" host.hostid=0 host.hostname=loghost.mwl.io 
host.hostuuid=---- ip4.addr=203.0.113.231 
ip4.saddrsel ip6.addr= ip6.saddrsel linux.osname=Linux linux.osrelease=2.6.32 
linux.oss_version=198144

Anyway, I found this by:

# jexec loghost env
HOME=/home/mwlucas
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/mwlucas/bin
TERM=xterm
LC_COLLATE=C
LANG=en_US.UTF-8
SSH_CLIENT=203.0.113.70 59076 22
SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
SSH_TTY=/dev/pts/2
SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
LC_CTYPE=en_US.ISO-8859-1
MAIL=/var/mail/root
...

I'm highly confident my SSH environment shouldn't be in the jail. Yes,
it goes away if I add -l, but my (admittedly sketchy) reading of the
jexec source says that jexec handles stripping the environment before
running the command.

Even if I start it the hard way (from a discussion at
https://github.com/iocage/iocage/issues/610)

storm~;jail -c path=/jail/loghost/ host.hostname=loghost exec.clean=1 persist
storm~;jls
   JID  IP Address  Hostname  Path
 9  loghost   /jail/loghost
 
storm~;jexec 9 env | grep -i ssh
SSH_CLIENT=203.0.113.70 59076 22
SSH_CONNECTION=203.0.113.70 59076 203.0.113.50 22
SSH_TTY=/dev/pts/2
SSH_AUTH_SOCK=/tmp/ssh-ZfvZOatcsu/agent.60492
storm~;

Any ideas?

Thanks,
==ml

-- 
Michael W. Lucashttps://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"