Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail

On 2007.07.27 17:12:34 +1000, Joel Hatton wrote:

I'm dredging up an old issue here, but it appears to be unresolved in
RELENG_5_5 at this time. After upgrading to 5.5-RELEASE-p14, I found that
my jails wouldn't start anymore, and it comes down to this bit again. By
way of explanation, I'll include the patch for what I changed.

--- /tmp/jail Wed Feb 14 15:16:30 2007
+++ /etc/rc.d/jail Fri Jul 27 13:46:51 2007
@@ -218,7 +218,7 @@
{
local _device _mountpt _rest

- while read _device _mountpt _rest; do
+ cat ${jail_fstab} | while read _device _mountpt _rest; do
case ":${_device}" in
:#* | :)
continue

In short, the jail_mount_fstab function is not given the fstab file on
which the local variables depend. My patch may not be the most robust but
for me today it is expedient.

Hey,

Yes, looking at the code now it is clearly wrong. Guess I/we
(secteam) stared too much at the code so we missed this issue :-/.

Your patch is very close to the "correct"/cleaner patch which is
attached. How exactly does it fail without your patch? Does it say
"cannot open : No such file or directory" and then no jails start when
booting (that would be my guess from a quick check of the bug)?

Would it be possible for you to test the attached patch and see if it
fixes the issue for you?

Sorry if this has been discussed already, but I was surprised that this
hadn't been fixed yet. It certainly would have caused some anxious moments
if I'd upgraded a prod server with multiple jails before I realised!

I haven't heard of this issue before, so not many people are using 5.5
with jails. The bug was certainly introduced as a merge error in the
with the patch for FreeBSD-SA-07:01.jail.

As this is clearly a bug in a Security Advisory patch and RELENG_5 /
RELENG_5_5 are still supported I expect that an updated advisory will
be released to fix this bug shortly.

Thanks for reporting the issue, and sorry about the bad patch :-(.

--
Simon L. Nielsen
Hat: FreeBSD Security Team and pointyhat
Index: jail
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.15.2.5.2.1
diff -u -d -r1.15.2.5.2.1 jail
--- jail 11 Jan 2007 18:19:33 -0000 1.15.2.5.2.1
+++ jail 27 Jul 2007 08:49:37 -0000
@@ -228,7 +228,7 @@
warn "${_mountpt} has symlink as parent - not mounting from ${jail_fstab}"
return
fi
- done <${_fstab}
+ done <${jail_fstab}
mount -a -F "${jail_fstab}"
}

Attachment: pgpvLdpuBP9hG.pgp
Description: PGP signature

Relevant Pages

  • Re: [PATCH] jail NG schript patch for mounting devfs and procfs automatically
    ... Here's a retooled patch. ... > for individual jails. ... from the unhiding rulesets. ...
    (freebsd-current)
  • Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
    ... my jails wouldn't start anymore, and it comes down to this bit again. ... I'll include the patch for what I changed. ... The bug was certainly introduced as a merge error in the ... As this is clearly a bug in a Security Advisory patch and RELENG_5 / ...
    (FreeBSD-Security)
  • Re: NO_YP_LIBC breaks 5.3-BETA buildworld
    ... > my jails, to enable NIS on the host system but keep the jails ... > functioning. ... > I noticed back in August that a patch was submitted to make this work ... > This feature would be very useful, and it is sad to see that it has ...
    (freebsd-current)
  • Re: Idea about "skeleton jail"
    ... I would definitely like to see the jails extended in a way that would ... each prison can have CPU/MEM/#PROCS limits in ... response. ... able to assist with any problems with the patch, ...
    (freebsd-hackers)
  • Re: jails and output of df/mount [PATCH]
    ... > There seems to be one small bug in your patch: ... > don't see informations about / any longer inside jails. ... To unsubscribe, ...
    (freebsd-hackers)