Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: Free
--BwCQnh7xodEAoBMC
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote:
> Quoting Pawel Jakub Dawidek <pjd@FreeBSD.org> (Sat, 20 Jan 2007 14:03:08 =
+0100):
>=20
> > I fully agree that console.log should be outside a jail. At least noone
> > proposed safe solution so far, which also means it's not an easy fix.
>=20
> What's unsafe about my proposal? I did had a look at the code now, and
> it should work (with minor mods).
>=20
> Original:
> ---snip---
> _tmp_jail=3D${_tmp_dir}/jail.$$
> eval jail ${_flags} -i ${_rootdir} ${_hostname} \
> ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1
>=20
> if [ "$?" -eq 0 ] ; then
> _jail_id=3D$(head -1 ${_tmp_jail})
> i=3D1
> while [ true ]; do
> eval out=3D\"\${_exec_afterstart${i}:-''}=
\"
>=20
> if [ -z "$out" ]; then
> break;
> fi
>=20
> jexec "${_jail_id}" ${out}
> i=3D$((i + 1))
> done
>=20
> echo -n " $_hostname"
> tail +2 ${_tmp_jail} >${_consolelog}
> echo ${_jail_id} > /var/run/jail_${_jail}.id
> ---snip---
>=20
> Pseudocode proposal, not tested (changes prefixed with 'x'):
> ---snip---
> _tmp_jail=3D${_tmp_dir}/jail.$$
> x # assuming safe _consolelog (inside chroot) according
> to the
> x # previous mails here in the thread
> x eval (echo "" ; \
> x jail ${_flags} -I /var/run/jail_${_jail}.id \
> x ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
> x > ${_consolelog} 2>&1
>=20
> if [ "$?" -eq 0 ] ; then
> x _jail_id=3D$(cat /var/run/jail_${_jail}.id)
> i=3D1
> while [ true ]; do
> eval out=3D\"\${_exec_afterstart${i}:-''}=
\"
>=20
> if [ -z "$out" ]; then
> break;
> fi
>=20
> jexec "${_jail_id}" ${out}
> i=3D$((i + 1))
> done
>=20
> echo -n " $_hostname"
> x
> x
> ---snip---
>=20
> Repeating my points:
> - sanitize the consolelog path like discussed in this thread
> - the jail is not running, so nobody can create a link (jail
> root within FS space of another jail still prohibited)
> - subshell to group echo and jail
> - 'echo ""' to make sure the file exists when the jail starts
> - (new) additional flag to jail to write a jid file
> - redirect to the consolelog, it is still open from the echo
> when the jail starts so there's no race
>=20
> I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it
> is line buffered, so the above works.
>=20
> Where's the security problem in the above?
It looks like it may work, but I still find it a bit risky. If sh(1) can
reopen the file under some conditions or someone in the future will
modify sh(1) in that way (because he won't be aware that such a change
may have impact on system security) we will have a security hole.
Chances are small, but I'm not going to be the one who will accept that
change:)
--=20
Pawel Jakub Dawidek http://www.wheel.pl
pjd@FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
--BwCQnh7xodEAoBMC
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQFFtfLUForvXbEpPzQRAoo1AJ9Q/u5YAPeHsQiOUBCEEOR8BzKuoACbBnQH
g1ixkeanvC5aURwI48b/TW4=
=TDkY
-----END PGP SIGNATURE-----
--BwCQnh7xodEAoBMC--
討論串 (同標題文章)
完整討論串 (本文為第 6 之 7 篇):