jail and uname
From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Is this not a security violation? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and uname
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/07/2010 07:13:13, Aiza wrote: From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. The uname information is compiled into the kernel -- so all jails will show the information relevant to the host system. The problem arises when a security patch applies to userland, and not the kernel, as updating the host system does not necessarily mean the update has been applied to the jails. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Is this not a security violation? It can result in security problems, yes. The real problem there is an incorrect approach to applying security updates to jailed systems. Even so, not having a reliable means of telling per-jail that patches have or have not been applied is a flaw. Whether you can do this within the POSIX specification for uname without adversely affecting backwards compatibility is a good question (http://www.opengroup.org/onlinepubs/009695399/utilities/uname.html). Perhaps a simple solution would be to compile a constant string value showing system version and patch level into libc.so and have a small utility to print that data out. Since this is independent of the kernel, it should fulfill the requirements, but it does mean that *every* system update requires a new libc.so and hence a restart of all running processes to apply fully. While I'm here -- why doesn't FreeBSD use a simple version number like 7.3.4 rather than saying 7.3-RELEASE-p4? I realize that historically there have been point releases like 5.2.1-RELEASE but the whole Security/Errata branch concept was developed partly in response to such things, and the whole release engineering process is done differently now. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwu4aMACgkQ8Mjk52CukIzd2wCfQSLaRz+G5FK62+DQ0ZT4gXA0 gAQAn0eu7SY28lrfElvlwVWtRieiWk5W =PuxL -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and uname
Le Sat, 03 Jul 2010 14:13:13 +0800, Aiza aiz...@comclark.com a écrit : From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Uname uses some sysctl to retrieve OS information, so they are stored in the kernel. For example : kern.ostype: FreeBSD kern.osrelease: 8.1-PRERELEASE Is this not a security violation? No I don't think. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and uname
On Sat, Jul 03, 2010 at 02:13:13PM +0800, Aiza wrote: From the console of a jail I issue uname -r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Is this not a security violation? I'm guessing your understanding of jails is a bit off. A FreeBSD jail isn't a fully virtualised system. As implemented, jails share the host system's kernel. The Handbook makes clear that a jail is essentially defined by a directory subtree, a hostname, an IP address, and a command. Well, that, and things like user accounts. So when you run uname, what's reported is kernel information as stored in various sysctl(8) MIBs (kern.ostype, kern.osrelease, kern.osrevision, kern.version, etc.). And because there's only one kernel, you'll get the same output from running uname on the host as you would get from running it inside a jail. -- George ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org