Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Simon L. Nielsen 
On 2007.01.13 12:29:37 +0100, Pawel Jakub Dawidek wrote:
> On Thu, Jan 11, 2007 at 04:51:02PM -0800, Colin Percival wrote:
> > Hello Everyone,
> > 
> > I usually let security advisories speak for themselves, but I want to call
> > special attention to this one: If you use jails, READ THE ADVISORY, in
> > particular the "NOTE WELL" part below; and if you have problems after 
> > applying
> > the security patch, LET US KNOW -- we do everything we can to make sure
> > that security updates will never cause problems, but in this case we could
> > not fix the all of the security issues without either making assumptions
> > about how systems are configured or reducing functionality.
> > 
> > In the end we opted to reduce functionality (the jail startup process is
> > no longer logged to /var/log/console.log inside the jail), make an 
> > assumption
> > about how systems are configured (filesystems which are mounted via per-jail
> > fstab files should not be mounted on symlinks -- if you do this, adjust your
> > fstab files to give the real, non-symlinked, path to the mount point), and
> > leave a potential security problem unfixed (if you mount any filesystems via
> > per-jail fstab files on mount points which are visible within multiple 
> > jails,
> > there are problems -- don't do this).

So, I have been putting off replying to this thread, but I guess it
seems like I should reply... :-)

> I don't like the way it was fixed. I do know it wasn't easy to fix.

I don't like it either, but it was the best of bad solutions.  My hope
while developing the patch, and cursing computers in general :-), was
that after the Security Advisory went out somebody would implement a
fix which sucks less possibly by modifying some of the support tools.

Your suggestion with modifying realpath to use chroot(2) certainly
sounds like it could work, but I haven't thought about it in great
detail if there are problems.

The Security Team does not hold a lock on trying to improve the fix in
src/etc/rc.d/jail, but anyone that does change the fix from the
Security Advisory should be really really really really (did I
mention "really"?) sure the fix is safe and have at least a few people
with security clue review patches.  It is very easy to get this wrong
(my first patch did).  Also, whatever fix is made should be in
-CURRENT for a while (3 weeks min. IMO) before being MFC'ed, both
because it gives more time for people to think about the fix and
because -CURRENT isn't supported wrt. security issues, so if the fix
is wrong we don't have to issue an advisory.

BTW. with regard to the console.log file I really don't think it
should be put back inside the jail unless it's possible to make the
generation of the file entirely inside the jail since it's just not
worth the risk/complexity.  I think it should be possible to do this
with jail(8) in -CURRENT (see -J flag), but:

Note that it will probably be at least a couple of weeks before I feel
like going anywhere near the jail rc.d script again (except for the
warning comment I plan to add...), so don't wait for me with regard to
improving this.

And in case anyone were in doubt:  Computers still suck :-).

-- 
Simon L. Nielsen
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Pawel Jakub Dawidek 
On Sat, Jan 20, 2007 at 01:24:33PM +0100, Simon L. Nielsen wrote:
[...]
> BTW. with regard to the console.log file I really don't think it
> should be put back inside the jail unless it's possible to make the
> generation of the file entirely inside the jail since it's just not
> worth the risk/complexity.  I think it should be possible to do this
> with jail(8) in -CURRENT (see -J flag), but:

When -J operates on a file inside a jail, it create the same security
hole as the one from security advisory, because it opens a file before
calling jail(2).
I fully agree that console.log should be outside a jail. At least noone
proposed safe solution so far, which also means it's not an easy fix.

-- 
Pawel Jakub Dawidek   http://www.wheel.pl
[EMAIL PROTECTED]   http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!


pgp1bmSk2cQlL.pgp
Description: PGP signature

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Simon L. Nielsen 
On 2007.01.20 14:03:08 +0100, Pawel Jakub Dawidek wrote:
> On Sat, Jan 20, 2007 at 01:24:33PM +0100, Simon L. Nielsen wrote:
> [...]
> > BTW. with regard to the console.log file I really don't think it
> > should be put back inside the jail unless it's possible to make the
> > generation of the file entirely inside the jail since it's just not
> > worth the risk/complexity.  I think it should be possible to do this
> > with jail(8) in -CURRENT (see -J flag), but:
> 
> When -J operates on a file inside a jail, it create the same security
> hole as the one from security advisory, because it opens a file before
> calling jail(2).

My thought with using -J was not place the info about jid in a file
outside the jail root, basically (pseudo code):

_tmpfile=`mktemp...`
jail -J $_tmpfile "sh /etc/rc > /var/log/console.log"
_jid=`cat $_tmpfile | something`

At least that was what I thought might be possible with the -J switch
when I noticed it existed.  In any case, actually coding this,
verifying that it works and is safe is left up to anyone who cares
about having console.log inside the jail.

-- 
Simon L. Nielsen
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Dirk Engling 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pawel Jakub Dawidek wrote:

> When -J operates on a file inside a jail, it create the same security
> hole as the one from security advisory, because it opens a file before
> calling jail(2).
> I fully agree that console.log should be outside a jail. At least noone
> proposed safe solution so far, which also means it's not an easy fix.

I still suggest using "pwd -P" to get the real path and using the
shell's CWD as a lock. That works safely with mount(8) at least.

Comments?

  erdgeist
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFsiGzImmQdUyYEgkRAlKcAJ4izD1J4x6jDDfvrtr5J+bcmSxK/ACfRpwn
x5yVH4uJIN7CWEgYtATKDE0=
=sQq3
-END PGP SIGNATURE-
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-20 Thread Alexander Leidinger 
Quoting Pawel Jakub Dawidek <[EMAIL PROTECTED]> (Sat, 20 Jan 2007 14:03:08 
+0100):

> I fully agree that console.log should be outside a jail. At least noone
> proposed safe solution so far, which also means it's not an easy fix.

What's unsafe about my proposal? I did had a look at the code now, and
it should work (with minor mods).

Original:
---snip---
_tmp_jail=${_tmp_dir}/jail.$$
eval jail ${_flags} -i ${_rootdir} ${_hostname} \
${_ip} ${_exec_start} > ${_tmp_jail} 2>&1

if [ "$?" -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
i=1
while [ true ]; do
eval out=\"\${_exec_afterstart${i}:-''}\"

if [ -z "$out" ]; then
break;
fi

jexec "${_jail_id}" ${out}
i=$((i + 1))
done

echo -n " $_hostname"
tail +2 ${_tmp_jail} >${_consolelog}
echo ${_jail_id} > /var/run/jail_${_jail}.id
---snip---

Pseudocode proposal, not tested (changes prefixed with 'x'):
---snip---
_tmp_jail=${_tmp_dir}/jail.$$
x   # assuming safe _consolelog (inside chroot) according
to the
x   # previous mails here in the thread
x   eval (echo "" ; \
x   jail ${_flags} -I /var/run/jail_${_jail}.id \
x   ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
x   > ${_consolelog} 2>&1

if [ "$?" -eq 0 ] ; then
x   _jail_id=$(cat /var/run/jail_${_jail}.id)
i=1
while [ true ]; do
eval out=\"\${_exec_afterstart${i}:-''}\"

if [ -z "$out" ]; then
break;
fi

jexec "${_jail_id}" ${out}
i=$((i + 1))
done

echo -n " $_hostname"
x
x
---snip---

Repeating my points:
 - sanitize the consolelog path like discussed in this thread
 - the jail is not running, so nobody can create a link (jail
   root within FS space of another jail still prohibited)
 - subshell to group echo and jail
 - 'echo ""' to make sure the file exists when the jail starts
 - (new) additional flag to jail to write a jid file
 - redirect to the consolelog, it is still open from the echo
   when the jail starts so there's no race

I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it
is line buffered, so the above works.

Where's the security problem in the above?

Bye,
Alexander.

-- 
I wore my extra loose pants for nothing.  Nothing!

-- Homer Simpson
   New Kid on the Block
http://www.Leidinger.net  Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org  : PGP ID = 72077137
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-23 Thread Pawel Jakub Dawidek 
On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote:
> Quoting Pawel Jakub Dawidek <[EMAIL PROTECTED]> (Sat, 20 Jan 2007 14:03:08 
> +0100):
> 
> > I fully agree that console.log should be outside a jail. At least noone
> > proposed safe solution so far, which also means it's not an easy fix.
> 
> What's unsafe about my proposal? I did had a look at the code now, and
> it should work (with minor mods).
> 
> Original:
> ---snip---
> _tmp_jail=${_tmp_dir}/jail.$$
> eval jail ${_flags} -i ${_rootdir} ${_hostname} \
> ${_ip} ${_exec_start} > ${_tmp_jail} 2>&1
> 
> if [ "$?" -eq 0 ] ; then
> _jail_id=$(head -1 ${_tmp_jail})
> i=1
> while [ true ]; do
> eval out=\"\${_exec_afterstart${i}:-''}\"
> 
> if [ -z "$out" ]; then
> break;
> fi
> 
> jexec "${_jail_id}" ${out}
> i=$((i + 1))
> done
> 
> echo -n " $_hostname"
> tail +2 ${_tmp_jail} >${_consolelog}
> echo ${_jail_id} > /var/run/jail_${_jail}.id
> ---snip---
> 
> Pseudocode proposal, not tested (changes prefixed with 'x'):
> ---snip---
> _tmp_jail=${_tmp_dir}/jail.$$
> x   # assuming safe _consolelog (inside chroot) according
> to the
> x   # previous mails here in the thread
> x eval (echo "" ; \
> x   jail ${_flags} -I /var/run/jail_${_jail}.id \
> x   ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
> x   > ${_consolelog} 2>&1
> 
> if [ "$?" -eq 0 ] ; then
> x   _jail_id=$(cat /var/run/jail_${_jail}.id)
> i=1
> while [ true ]; do
> eval out=\"\${_exec_afterstart${i}:-''}\"
> 
> if [ -z "$out" ]; then
> break;
> fi
> 
> jexec "${_jail_id}" ${out}
> i=$((i + 1))
> done
> 
> echo -n " $_hostname"
> x
> x
> ---snip---
> 
> Repeating my points:
>  - sanitize the consolelog path like discussed in this thread
>  - the jail is not running, so nobody can create a link (jail
>root within FS space of another jail still prohibited)
>  - subshell to group echo and jail
>  - 'echo ""' to make sure the file exists when the jail starts
>  - (new) additional flag to jail to write a jid file
>  - redirect to the consolelog, it is still open from the echo
>when the jail starts so there's no race
> 
> I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it
> is line buffered, so the above works.
> 
> Where's the security problem in the above?

It looks like it may work, but I still find it a bit risky. If sh(1) can
reopen the file under some conditions or someone in the future will
modify sh(1) in that way (because he won't be aware that such a change
may have impact on system security) we will have a security hole.
Chances are small, but I'm not going to be the one who will accept that
change:)

-- 
Pawel Jakub Dawidek   http://www.wheel.pl
[EMAIL PROTECTED]   http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!


pgpxJyediGS02.pgp
Description: PGP signature

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-23 Thread Alexander Leidinger 
Quoting Pawel Jakub Dawidek <[EMAIL PROTECTED]> (from Tue, 23 Jan 2007  
12:34:44 +0100):



On Sat, Jan 20, 2007 at 03:24:23PM +0100, Alexander Leidinger wrote:
Quoting Pawel Jakub Dawidek <[EMAIL PROTECTED]> (Sat, 20 Jan 2007   
14:03:08 +0100):


> I fully agree that console.log should be outside a jail. At least noone
> proposed safe solution so far, which also means it's not an easy fix.

What's unsafe about my proposal? I did had a look at the code now, and
it should work (with minor mods).

Original:
---snip---
_tmp_jail=${_tmp_dir}/jail.$$
eval jail ${_flags} -i ${_rootdir} ${_hostname} \
${_ip} ${_exec_start} > ${_tmp_jail} 2>&1

if [ "$?" -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
i=1
while [ true ]; do
eval out=\"\${_exec_afterstart${i}:-''}\"

if [ -z "$out" ]; then
break;
fi

jexec "${_jail_id}" ${out}
i=$((i + 1))
done

echo -n " $_hostname"
tail +2 ${_tmp_jail} >${_consolelog}
echo ${_jail_id} > /var/run/jail_${_jail}.id
---snip---

Pseudocode proposal, not tested (changes prefixed with 'x'):
---snip---
_tmp_jail=${_tmp_dir}/jail.$$
x   # assuming safe _consolelog (inside chroot) according
to the
x   # previous mails here in the thread
x   eval (echo "" ; \
x   jail ${_flags} -I /var/run/jail_${_jail}.id \
x   ${_rootdir} ${_hostname} {_ip} ${_exec_start}) \
x   > ${_consolelog} 2>&1

if [ "$?" -eq 0 ] ; then
x   _jail_id=$(cat /var/run/jail_${_jail}.id)
i=1
while [ true ]; do
eval out=\"\${_exec_afterstart${i}:-''}\"

if [ -z "$out" ]; then
break;
fi

jexec "${_jail_id}" ${out}
i=$((i + 1))
done

echo -n " $_hostname"
x
x
---snip---

Repeating my points:
 - sanitize the consolelog path like discussed in this thread
 - the jail is not running, so nobody can create a link (jail
   root within FS space of another jail still prohibited)
 - subshell to group echo and jail
 - 'echo ""' to make sure the file exists when the jail starts
 - (new) additional flag to jail to write a jid file
 - redirect to the consolelog, it is still open from the echo
   when the jail starts so there's no race

I did test "(echo 1; sleep 60 ; echo 2) >/tmp/test" in /bin/sh, and it
is line buffered, so the above works.

Where's the security problem in the above?


It looks like it may work, but I still find it a bit risky. If sh(1) can
reopen the file under some conditions or someone in the future will
modify sh(1) in that way (because he won't be aware that such a change
may have impact on system security) we will have a security hole.
Chances are small, but I'm not going to be the one who will accept that
change:)


The spawned subshell is like a command. It doesn't make sense to  
reopen the file for a command. It's like saying we open and close the  
file for each line. I didn't calculated the probability of this to  
happen, but I would be very surprised if it is significant. Just think  
about the performance of such behavior (or a more complex logic which  
open()/close()es in a more complex way). And if you think about such  
unlikely stuff to happen, you should also think about some other stuff  
we are not prepared to survive. But feel free to propose a better  
solution for the problem.


Bye,
Alexander.

--
In Newark the laundromats are open 24 hours a day!

http://www.Leidinger.netAlexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org   netchild @ FreeBSD.org  : PGP ID = 72077137
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Improving FreeBSD-SA-07:01.jail fix [was: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail]

2007-01-23 Thread Pawel Jakub Dawidek 
On Tue, Jan 23, 2007 at 01:25:08PM +0100, Alexander Leidinger wrote:
> Quoting Pawel Jakub Dawidek <[EMAIL PROTECTED]> (from Tue, 23 Jan 2007 
> 12:34:44 +0100):
> >It looks like it may work, but I still find it a bit risky. If sh(1) can
> >reopen the file under some conditions or someone in the future will
> >modify sh(1) in that way (because he won't be aware that such a change
> >may have impact on system security) we will have a security hole.
> >Chances are small, but I'm not going to be the one who will accept that
> >change:)
> 
> The spawned subshell is like a command. It doesn't make sense to reopen the 
> file for a command. It's like saying we open and close the file for each 
> line. I didn't 
> calculated the probability of this to happen, but I would be very surprised 
> if it is significant. Just think about the performance of such behavior (or a 
> more complex logic 
> [...] And if you think about such unlikely stuff to happen, you should also 
> think about some other stuff we are not prepared to 
> survive. [...]

Come on, this argument always stands. I only wanted to point out that we
should be extra careful with building security on top of tools that are
not intended for this purpose.

> [...] But feel free to propose a better solution for the problem.

The solution was proposed already - keep console.log outside of jail.

Don't read my comment as a "no" vote for your solution. If secteam@
decide there is nothing to be worry about - fine by me.

-- 
Pawel Jakub Dawidek   http://www.wheel.pl
[EMAIL PROTECTED]   http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!


pgpq64ac0jGwG.pgp
Description: PGP signature