lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050712125102.R65286@zarathustra.linux666.com> Date: Tue Jul 12 12:43:40 2005 From: ronvdaal at zarathustra.linux666.com (ronvdaal) Subject: Possible security issue with FreeBSD 5.4 jailing and BPF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> While playing around with FreeBSD 5.4 and jailing I discovered that it was >> possible to put an ethernet interface into promiscious mode from within the >> jailed environment, allowing a packetsniffer to gather data not meant for >> the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x >> This can be reproduced on boxes where BPF support is enabled in the kernel >> and a BPF device is available in the jail (badly configured devfs/no rules) > [...] >> Usage of devfs rulesets is highly recommended as stated in the manpages. >> Though a misconfiguration at this point would expose a big security issue. >> The question is: should bpfopen() in bpf.c check for a jailed proc or not? > > This is not really a security bug since, as stated in the jail(8) > manual, you should use devfs rulesets if you are using jails as a > security measure. Exposing a complete /dev file-system inside a jail > is a bad idea security wise, not just with regards to BPF. I'm figuring out the reason why the jailing check has been removed from the BPF code in the kernel source tree (if on purpose). Does this have a reason? Because it was right there in the 4.x series kernels. And it's also present in other parts of the 5.x kernel source. Therefore it seems to be forgotten. While saying that this isn't a security bug, you're actually stating this has turned into a "feature", allowing the privileged user on the host box to decide which jailed root user can put ethernet devices into promiscious mode. (...) However, if it's a feature not a bug - then where is it documented? Kind regards, Ron van Daal The Netherlands -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFC06dqPnak7KhYV34RAjOqAKCJPtIQatwyk+mGKLy9ynEfRtz2MgCeIOnD F3MzCe8kSbMEn9Vrw679Q3A= =CM+T -----END PGP SIGNATURE-----
Powered by blists - more mailing lists