| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Jul 12 12:42:54 2005 From: simon at FreeBSD.org (Simon L. Nielsen) Subject: Possible security issue with FreeBSD 5.4 jailing and BPF On 2005.07.11 23:54:15 +0200, ronvdaal wrote: > While playing around with FreeBSD 5.4 and jailing I discovered that it was > possible to put an ethernet interface into promiscious mode from within the > jailed environment, allowing a packetsniffer to gather data not meant for > the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x > This can be reproduced on boxes where BPF support is enabled in the kernel > and a BPF device is available in the jail (badly configured devfs/no rules) [...] > Usage of devfs rulesets is highly recommended as stated in the manpages. > Though a misconfiguration at this point would expose a big security issue. > The question is: should bpfopen() in bpf.c check for a jailed proc or not? This is not really a security bug since, as stated in the jail(8) manual, you should use devfs rulesets if you are using jails as a security measure. Exposing a complete /dev file-system inside a jail is a bad idea security wise, not just with regards to BPF. -- Simon L. Nielsen FreeBSD Security Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050712/206a4812/attachment.bin
Powered by blists - more mailing lists