Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-23 Thread Pawel Jakub Dawidek 
On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote:
 Quoting Pawel Jakub Dawidek [EMAIL PROTECTED] (Sat, 20 Jan 2007 14:03:08 
 +0100):
 
  I fully agree that console.log should be outside a jail. At least noone
  proposed safe solution so far, which also means it's not an easy fix.
 
 What's unsafe about my proposal? I did had a look at the code now, and
 it should work (with minor mods).
 
 Original:
 ---snip---
 _tmp_jail=${_tmp_dir}/jail.$$
 eval jail ${_flags} -i ${_rootdir} ${_hostname} \
 ${_ip} ${_exec_start}  ${_tmp_jail} 21
 
 if [ $? -eq 0 ] ; then
 _jail_id=$(head -1 ${_tmp_jail})
 i=1
 while [ true ]; do
 eval out=\\${_exec_afterstart${i}:-''}\
 
 if [ -z $out ]; then
 break;
 fi
 
 jexec ${_jail_id} ${out}
 i=$((i + 1))
 done
 
 echo -n  $_hostname
 tail +2 ${_tmp_jail} ${_consolelog}
 echo ${_jail_id}  /var/run/jail_${_jail}.id
 ---snip---
 
 Pseudocode proposal, not tested (changes prefixed with 'x'):
 ---snip---
 _tmp_jail=${_tmp_dir}/jail.$$
 x   # assuming safe _consolelog (inside chroot) according
 to the
 x   # previous mails here in the thread
 x eval (echo  ; \
 x   jail ${_flags} -I /var/run/jail_${_jail}.id \
 x   ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
 x${_consolelog} 21
 
 if [ $? -eq 0 ] ; then
 x   _jail_id=$(cat /var/run/jail_${_jail}.id)
 i=1
 while [ true ]; do
 eval out=\\${_exec_afterstart${i}:-''}\
 
 if [ -z $out ]; then
 break;
 fi
 
 jexec ${_jail_id} ${out}
 i=$((i + 1))
 done
 
 echo -n  $_hostname
 x
 x
 ---snip---
 
 Repeating my points:
  - sanitize the consolelog path like discussed in this thread
  - the jail is not running, so nobody can create a link (jail
root within FS space of another jail still prohibited)
  - subshell to group echo and jail
  - 'echo ' to make sure the file exists when the jail starts
  - (new) additional flag to jail to write a jid file
  - redirect to the consolelog, it is still open from the echo
when the jail starts so there's no race
 
 I did test (echo 1; sleep 60 ; echo 2) /tmp/test in /bin/sh, and it
 is line buffered, so the above works.
 
 Where's the security problem in the above?

It looks like it may work, but I still find it a bit risky. If sh(1) can
reopen the file under some conditions or someone in the future will
modify sh(1) in that way (because he won't be aware that such a change
may have impact on system security) we will have a security hole.
Chances are small, but I'm not going to be the one who will accept that
change:)

-- 
Pawel Jakub Dawidek   http://www.wheel.pl
[EMAIL PROTECTED]   http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!


pgpxJyediGS02.pgp
Description: PGP signature

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-23 Thread Alexander Leidinger 
Quoting Pawel Jakub Dawidek [EMAIL PROTECTED] (from Tue, 23 Jan 2007  
12:34:44 +0100):



On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote:
Quoting Pawel Jakub Dawidek [EMAIL PROTECTED] (Sat, 20 Jan 2007   
14:03:08 +0100):


 I fully agree that console.log should be outside a jail. At least noone
 proposed safe solution so far, which also means it's not an easy fix.

What's unsafe about my proposal? I did had a look at the code now, and
it should work (with minor mods).

Original:
---snip---
_tmp_jail=${_tmp_dir}/jail.$$
eval jail ${_flags} -i ${_rootdir} ${_hostname} \
${_ip} ${_exec_start}  ${_tmp_jail} 21

if [ $? -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
i=1
while [ true ]; do
eval out=\\${_exec_afterstart${i}:-''}\

if [ -z $out ]; then
break;
fi

jexec ${_jail_id} ${out}
i=$((i + 1))
done

echo -n  $_hostname
tail +2 ${_tmp_jail} ${_consolelog}
echo ${_jail_id}  /var/run/jail_${_jail}.id
---snip---

Pseudocode proposal, not tested (changes prefixed with 'x'):
---snip---
_tmp_jail=${_tmp_dir}/jail.$$
x   # assuming safe _consolelog (inside chroot) according
to the
x   # previous mails here in the thread
x   eval (echo  ; \
x   jail ${_flags} -I /var/run/jail_${_jail}.id \
x   ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
x${_consolelog} 21

if [ $? -eq 0 ] ; then
x   _jail_id=$(cat /var/run/jail_${_jail}.id)
i=1
while [ true ]; do
eval out=\\${_exec_afterstart${i}:-''}\

if [ -z $out ]; then
break;
fi

jexec ${_jail_id} ${out}
i=$((i + 1))
done

echo -n  $_hostname
x
x
---snip---

Repeating my points:
 - sanitize the consolelog path like discussed in this thread
 - the jail is not running, so nobody can create a link (jail
   root within FS space of another jail still prohibited)
 - subshell to group echo and jail
 - 'echo ' to make sure the file exists when the jail starts
 - (new) additional flag to jail to write a jid file
 - redirect to the consolelog, it is still open from the echo
   when the jail starts so there's no race

I did test (echo 1; sleep 60 ; echo 2) /tmp/test in /bin/sh, and it
is line buffered, so the above works.

Where's the security problem in the above?


It looks like it may work, but I still find it a bit risky. If sh(1) can
reopen the file under some conditions or someone in the future will
modify sh(1) in that way (because he won't be aware that such a change
may have impact on system security) we will have a security hole.
Chances are small, but I'm not going to be the one who will accept that
change:)


The spawned subshell is like a command. It doesn't make sense to  
reopen the file for a command. It's like saying we open and close the  
file for each line. I didn't calculated the probability of this to  
happen, but I would be very surprised if it is significant. Just think  
about the performance of such behavior (or a more complex logic which  
open()/close()es in a more complex way). And if you think about such  
unlikely stuff to happen, you should also think about some other stuff  
we are not prepared to survive. But feel free to propose a better  
solution for the problem.


Bye,
Alexander.

--
In Newark the laundromats are open 24 hours a day!

http://www.Leidinger.netAlexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org   netchild @ FreeBSD.org  : PGP ID = 72077137
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-23 Thread Pawel Jakub Dawidek 
On Tue, Jan 23, 2007 at 01:25:08PM +0100, Alexander Leidinger wrote:
 Quoting Pawel Jakub Dawidek [EMAIL PROTECTED] (from Tue, 23 Jan 2007 
 12:34:44 +0100):
 It looks like it may work, but I still find it a bit risky. If sh(1) can
 reopen the file under some conditions or someone in the future will
 modify sh(1) in that way (because he won't be aware that such a change
 may have impact on system security) we will have a security hole.
 Chances are small, but I'm not going to be the one who will accept that
 change:)
 
 The spawned subshell is like a command. It doesn't make sense to reopen the 
 file for a command. It's like saying we open and close the file for each 
 line. I didn't 
 calculated the probability of this to happen, but I would be very surprised 
 if it is significant. Just think about the performance of such behavior (or a 
 more complex logic 
 [...] And if you think about such unlikely stuff to happen, you should also 
 think about some other stuff we are not prepared to 
 survive. [...]

Come on, this argument always stands. I only wanted to point out that we
should be extra careful with building security on top of tools that are
not intended for this purpose.

 [...] But feel free to propose a better solution for the problem.

The solution was proposed already - keep console.log outside of jail.

Don't read my comment as a no vote for your solution. If secteam@
decide there is nothing to be worry about - fine by me.

-- 
Pawel Jakub Dawidek   http://www.wheel.pl
[EMAIL PROTECTED]   http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!


pgpq64ac0jGwG.pgp
Description: PGP signature

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Simon L. Nielsen 
On 2007.01.13 12:29:37 +0100, Pawel Jakub Dawidek wrote:
 On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote:
  Hello Everyone,
  
  I usually let security advisories speak for themselves, but I want to call
  special attention to this one: If you use jails, READ THE ADVISORY, in
  particular the NOTE WELL part below; and if you have problems after 
  applying
  the security patch, LET US KNOW -- we do everything we can to make sure
  that security updates will never cause problems, but in this case we could
  not fix the all of the security issues without either making assumptions
  about how systems are configured or reducing functionality.
  
  In the end we opted to reduce functionality (the jail startup process is
  no longer logged to /var/log/console.log inside the jail), make an 
  assumption
  about how systems are configured (filesystems which are mounted via per-jail
  fstab files should not be mounted on symlinks -- if you do this, adjust your
  fstab files to give the real, non-symlinked, path to the mount point), and
  leave a potential security problem unfixed (if you mount any filesystems via
  per-jail fstab files on mount points which are visible within multiple 
  jails,
  there are problems -- don't do this).

So, I have been putting off replying to this thread, but I guess it
seems like I should reply... :-)

 I don't like the way it was fixed. I do know it wasn't easy to fix.

I don't like it either, but it was the best of bad solutions.  My hope
while developing the patch, and cursing computers in general :-), was
that after the Security Advisory went out somebody would implement a
fix which sucks less possibly by modifying some of the support tools.

Your suggestion with modifying realpath to use chroot(2) certainly
sounds like it could work, but I haven't thought about it in great
detail if there are problems.

The Security Team does not hold a lock on trying to improve the fix in
src/etc/rc.d/jail, but anyone that does change the fix from the
Security Advisory should be really really really really (did I
mention really?) sure the fix is safe and have at least a few people
with security clue review patches.  It is very easy to get this wrong
(my first patch did).  Also, whatever fix is made should be in
-CURRENT for a while (3 weeks min. IMO) before being MFC'ed, both
because it gives more time for people to think about the fix and
because -CURRENT isn't supported wrt. security issues, so if the fix
is wrong we don't have to issue an advisory.

BTW. with regard to the console.log file I really don't think it
should be put back inside the jail unless it's possible to make the
generation of the file entirely inside the jail since it's just not
worth the risk/complexity.  I think it should be possible to do this
with jail(8) in -CURRENT (see -J flag), but:

Note that it will probably be at least a couple of weeks before I feel
like going anywhere near the jail rc.d script again (except for the
warning comment I plan to add...), so don't wait for me with regard to
improving this.

And in case anyone were in doubt:  Computers still suck :-).

-- 
Simon L. Nielsen
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Pawel Jakub Dawidek 
On Sat, Jan 20, 2007 at 01:24:33PM +0100, Simon L. Nielsen wrote:
[...]
 BTW. with regard to the console.log file I really don't think it
 should be put back inside the jail unless it's possible to make the
 generation of the file entirely inside the jail since it's just not
 worth the risk/complexity.  I think it should be possible to do this
 with jail(8) in -CURRENT (see -J flag), but:

When -J operates on a file inside a jail, it create the same security
hole as the one from security advisory, because it opens a file before
calling jail(2).
I fully agree that console.log should be outside a jail. At least noone
proposed safe solution so far, which also means it's not an easy fix.

-- 
Pawel Jakub Dawidek   http://www.wheel.pl
[EMAIL PROTECTED]   http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!


pgp1bmSk2cQlL.pgp
Description: PGP signature

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Simon L. Nielsen 
On 2007.01.20 14:03:08 +0100, Pawel Jakub Dawidek wrote:
 On Sat, Jan 20, 2007 at 01:24:33PM +0100, Simon L. Nielsen wrote:
 [...]
  BTW. with regard to the console.log file I really don't think it
  should be put back inside the jail unless it's possible to make the
  generation of the file entirely inside the jail since it's just not
  worth the risk/complexity.  I think it should be possible to do this
  with jail(8) in -CURRENT (see -J flag), but:
 
 When -J operates on a file inside a jail, it create the same security
 hole as the one from security advisory, because it opens a file before
 calling jail(2).

My thought with using -J was not place the info about jid in a file
outside the jail root, basically (pseudo code):

_tmpfile=`mktemp...`
jail -J $_tmpfile sh /etc/rc  /var/log/console.log
_jid=`cat $_tmpfile | something`

At least that was what I thought might be possible with the -J switch
when I noticed it existed.  In any case, actually coding this,
verifying that it works and is safe is left up to anyone who cares
about having console.log inside the jail.

-- 
Simon L. Nielsen
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Dirk Engling 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pawel Jakub Dawidek wrote:

 When -J operates on a file inside a jail, it create the same security
 hole as the one from security advisory, because it opens a file before
 calling jail(2).
 I fully agree that console.log should be outside a jail. At least noone
 proposed safe solution so far, which also means it's not an easy fix.

I still suggest using pwd -P to get the real path and using the
shell's CWD as a lock. That works safely with mount(8) at least.

Comments?

  erdgeist
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFsiGzImmQdUyYEgkRAlKcAJ4izD1J4x6jDDfvrtr5J+bcmSxK/ACfRpwn
x5yVH4uJIN7CWEgYtATKDE0=
=sQq3
-END PGP SIGNATURE-
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Alexander Leidinger 
Quoting Pawel Jakub Dawidek [EMAIL PROTECTED] (Sat, 20 Jan 2007 14:03:08 
+0100):

 I fully agree that console.log should be outside a jail. At least noone
 proposed safe solution so far, which also means it's not an easy fix.

What's unsafe about my proposal? I did had a look at the code now, and
it should work (with minor mods).

Original:
---snip---
_tmp_jail=${_tmp_dir}/jail.$$
eval jail ${_flags} -i ${_rootdir} ${_hostname} \
${_ip} ${_exec_start}  ${_tmp_jail} 21

if [ $? -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
i=1
while [ true ]; do
eval out=\\${_exec_afterstart${i}:-''}\

if [ -z $out ]; then
break;
fi

jexec ${_jail_id} ${out}
i=$((i + 1))
done

echo -n  $_hostname
tail +2 ${_tmp_jail} ${_consolelog}
echo ${_jail_id}  /var/run/jail_${_jail}.id
---snip---

Pseudocode proposal, not tested (changes prefixed with 'x'):
---snip---
_tmp_jail=${_tmp_dir}/jail.$$
x   # assuming safe _consolelog (inside chroot) according
to the
x   # previous mails here in the thread
x   eval (echo  ; \
x   jail ${_flags} -I /var/run/jail_${_jail}.id \
x   ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
x${_consolelog} 21

if [ $? -eq 0 ] ; then
x   _jail_id=$(cat /var/run/jail_${_jail}.id)
i=1
while [ true ]; do
eval out=\\${_exec_afterstart${i}:-''}\

if [ -z $out ]; then
break;
fi

jexec ${_jail_id} ${out}
i=$((i + 1))
done

echo -n  $_hostname
x
x
---snip---

Repeating my points:
 - sanitize the consolelog path like discussed in this thread
 - the jail is not running, so nobody can create a link (jail
   root within FS space of another jail still prohibited)
 - subshell to group echo and jail
 - 'echo ' to make sure the file exists when the jail starts
 - (new) additional flag to jail to write a jid file
 - redirect to the consolelog, it is still open from the echo
   when the jail starts so there's no race

I did test (echo 1; sleep 60 ; echo 2) /tmp/test in /bin/sh, and it
is line buffered, so the above works.

Where's the security problem in the above?

Bye,
Alexander.

-- 
I wore my extra loose pants for nothing.  Nothing!

-- Homer Simpson
   New Kid on the Block
http://www.Leidinger.net  Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org  : PGP ID = 72077137
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]