Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: Free

看板FB_security作者時間19年前 (2007/01/23 20:57), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串7/7 (看更多)
--ZwgA9U+XZDXt4+m+ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 23, 2007 at 01:25:08PM +0100, Alexander Leidinger wrote: > Quoting Pawel Jakub Dawidek <pjd@FreeBSD.org> (from Tue, 23 Jan 2007 12:3= 4:44 +0100): > >It looks like it may work, but I still find it a bit risky. If sh(1) can > >reopen the file under some conditions or someone in the future will > >modify sh(1) in that way (because he won't be aware that such a change > >may have impact on system security) we will have a security hole. > >Chances are small, but I'm not going to be the one who will accept that > >change:) >=20 > The spawned subshell is like a command. It doesn't make sense to reopen t= he file for a command. It's like saying we open and close the file for each= line. I didn't=20 > calculated the probability of this to happen, but I would be very surpris= ed if it is significant. Just think about the performance of such behavior = (or a more complex logic=20 > [...] And if you think about such unlikely stuff to happen, you should al= so think about some other stuff we are not prepared to=20 > survive. [...] Come on, this argument always stands. I only wanted to point out that we should be extra careful with building security on top of tools that are not intended for this purpose. > [...] But feel free to propose a better solution for the problem. The solution was proposed already - keep console.log outside of jail. Don't read my comment as a "no" vote for your solution. If secteam@ decide there is nothing to be worry about - fine by me. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --ZwgA9U+XZDXt4+m+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFtgLHForvXbEpPzQRAnjAAJ9ueKbsFjJFL0MTvyM7I7zDpXo3PgCeJY9t /DVf7IrfkNtREpzBhkLsXEY= =ndf4 -----END PGP SIGNATURE----- --ZwgA9U+XZDXt4+m+--
更多 pjd. 的文章
文章代碼(AID): #15jWPF00 (FB_security)
討論串 (同標題文章)
完整討論串 (本文為第 7 之 7 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共7篇)
更多 pjd. 的文章
文章代碼(AID): #15jWPF00 (FB_security)