Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jai

Quoting Pawel Jakub Dawidek <pjd@FreeBSD.org> (from Tue, 16 Jan 2007 =20
09:42:43 +0100):

> =09good-guy=09=09=09=09attacker-within-a-jail
>
> =09cd /jail/var/log
> =09mktemp foo.XXX
> =09=09=09=09=09=09rm -f foo.XXX
> =09=09=09=09=09=09ln -s /etc/spwd.db foo.XXX
> =09copy /path/to/jail_console.log foo.XXX
> =09mv -f foo.XXX console.log

I did not have time to look at how the console part is handled. But =20
out of the blue I would assume the console.log is created before the =20
jail is started. Like:
  - check if console.log is a file which we are allowed to
    overwrite (no symlink pointing outside the jail)
  - bail out if it points outside the jail or prefix the jail
    base directory to the resulting path if it is a link
  - (echo "Starting $(date)"; start_jail) >>${console.log}
    The echo is there to make sure it exists and the subshell
    to make sure the file is not closed. This assumes the output
    is not more than line buffered (it isn't here on Solaris 10
    with zsh).

Why can't we do it like this?

Bye,
Alexander.

--=20
" "
=09=09-- Charlie Chaplin

" "
=09=09-- Harpo Marx

" "
=09=09-- Marcel Marceau

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID =3D B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID =3D 72077137
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"