lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050712125102.R65286@zarathustra.linux666.com>
Date: Tue Jul 12 12:43:40 2005
From: ronvdaal at zarathustra.linux666.com (ronvdaal)
Subject: Possible security issue with FreeBSD 5.4
	jailing and BPF

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> While playing around with FreeBSD 5.4 and jailing I discovered that it was
>> possible to put an ethernet interface into promiscious mode from within the
>> jailed environment, allowing a packetsniffer to gather data not meant for
>> the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x
>> This can be reproduced on boxes where BPF support is enabled in the kernel
>> and a BPF device is available in the jail (badly configured devfs/no rules)
> [...]
>> Usage of devfs rulesets is highly recommended as stated in the manpages.
>> Though a misconfiguration at this point would expose a big security issue.
>> The question is: should bpfopen() in bpf.c check for a jailed proc or not?
>
> This is not really a security bug since, as stated in the jail(8)
> manual, you should use devfs rulesets if you are using jails as a
> security measure.  Exposing a complete /dev file-system inside a jail
> is a bad idea security wise, not just with regards to BPF.

I'm figuring out the reason why the jailing check has been removed from the
BPF code in the kernel source tree (if on purpose). Does this have a reason?
Because it was right there in the 4.x series kernels. And it's also present 
in other parts of the 5.x kernel source. Therefore it seems to be forgotten.

While saying that this isn't a security bug, you're actually stating this
has turned into a "feature", allowing the privileged user on the host box to
decide which jailed root user can put ethernet devices into promiscious mode.
(...) However, if it's a feature not a bug - then where is it documented?

Kind regards,

Ron van Daal
The Netherlands
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFC06dqPnak7KhYV34RAjOqAKCJPtIQatwyk+mGKLy9ynEfRtz2MgCeIOnD
F3MzCe8kSbMEn9Vrw679Q3A=
=CM+T
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ