Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail

Fri, 27 Jul 2007 02:26:59 -0700 

On 2007.07.27 17:12:34 +1000, Joel Hatton wrote:

> I'm dredging up an old issue here, but it appears to be unresolved in
> RELENG_5_5 at this time. After upgrading to 5.5-RELEASE-p14, I found that
> my jails wouldn't start anymore, and it comes down to this bit again. By
> way of explanation, I'll include the patch for what I changed.
> 
> --- /tmp/jail   Wed Feb 14 15:16:30 2007
> +++ /etc/rc.d/jail      Fri Jul 27 13:46:51 2007
> @@ -218,7 +218,7 @@
>  {
>         local _device _mountpt _rest
>  
> -       while read _device _mountpt _rest; do
> +       cat ${jail_fstab} | while read _device _mountpt _rest; do
>                 case ":${_device}" in
>                 :#* | :)
>                         continue
> 
> In short, the jail_mount_fstab function is not given the fstab file on
> which the local variables depend. My patch may not be the most robust but
> for me today it is expedient.

Hey,

Yes, looking at the code now it is clearly wrong.  Guess I/we
(secteam) stared too much at the code so we missed this issue :-/.

Your patch is very close to the "correct"/cleaner patch which is
attached.  How exactly does it fail without your patch?  Does it say
"cannot open : No such file or directory" and then no jails start when
booting (that would be my guess from a quick check of the bug)?

Would it be possible for you to test the attached patch and see if it
fixes the issue for you?

> Sorry if this has been discussed already, but I was surprised that this
> hadn't been fixed yet. It certainly would have caused some anxious moments
> if I'd upgraded a prod server with multiple jails before I realised!

I haven't heard of this issue before, so not many people are using 5.5
with jails.  The bug was certainly introduced as a merge error in the
with the patch for FreeBSD-SA-07:01.jail.

As this is clearly a bug in a Security Advisory patch and RELENG_5 /
RELENG_5_5 are still supported I expect that an updated advisory will
be released to fix this bug shortly.

Thanks for reporting the issue, and sorry about the bad patch :-(.

-- 
Simon L. Nielsen
Hat: FreeBSD Security Team and pointyhat

Index: jail
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.15.2.5.2.1
diff -u -d -r1.15.2.5.2.1 jail
--- jail        11 Jan 2007 18:19:33 -0000      1.15.2.5.2.1
+++ jail        27 Jul 2007 08:49:37 -0000
@@ -228,7 +228,7 @@
                        warn "${_mountpt} has symlink as parent - not mounting 
from ${jail_fstab}"
                        return
                fi
-       done <${_fstab}
+       done <${jail_fstab}
        mount -a -F "${jail_fstab}"
 }

Attachment: pgpfkwZGUCy2V.pgp
Description: PGP signature

Reply via email to