Full Disclosure mailing list archives
Re: Possible security issue with FreeBSD 5.4 jailing and BPF
From: ronvdaal <ronvdaal () zarathustra linux666 com>
Date: Tue, 12 Jul 2005 13:20:06 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
While playing around with FreeBSD 5.4 and jailing I discovered that it was possible to put an ethernet interface into promiscious mode from within the jailed environment, allowing a packetsniffer to gather data not meant for the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x This can be reproduced on boxes where BPF support is enabled in the kernel and a BPF device is available in the jail (badly configured devfs/no rules)[...]Usage of devfs rulesets is highly recommended as stated in the manpages. Though a misconfiguration at this point would expose a big security issue. The question is: should bpfopen() in bpf.c check for a jailed proc or not?This is not really a security bug since, as stated in the jail(8) manual, you should use devfs rulesets if you are using jails as a security measure. Exposing a complete /dev file-system inside a jail is a bad idea security wise, not just with regards to BPF.
I'm figuring out the reason why the jailing check has been removed from the BPF code in the kernel source tree (if on purpose). Does this have a reason?Because it was right there in the 4.x series kernels. And it's also present in other parts of the 5.x kernel source. Therefore it seems to be forgotten.
While saying that this isn't a security bug, you're actually stating this has turned into a "feature", allowing the privileged user on the host box to decide which jailed root user can put ethernet devices into promiscious mode. (...) However, if it's a feature not a bug - then where is it documented? Kind regards, Ron van Daal The Netherlands -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFC06dqPnak7KhYV34RAjOqAKCJPtIQatwyk+mGKLy9ynEfRtz2MgCeIOnD F3MzCe8kSbMEn9Vrw679Q3A= =CM+T -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Possible security issue with FreeBSD 5.4 jailing and BPF ronvdaal (Jul 11)
- Re: Possible security issue with FreeBSD 5.4 jailing and BPF Simon L. Nielsen (Jul 12)
- Re: Possible security issue with FreeBSD 5.4 jailing and BPF ronvdaal (Jul 12)
- Re: Possible security issue with FreeBSD 5.4 jailing and BPF Simon L. Nielsen (Jul 12)
- Re: Possible security issue with FreeBSD 5.4 jailing and BPF Robert Watson (Jul 12)
- Re: Possible security issue with FreeBSD 5.4 jailing and BPF ronvdaal (Jul 12)
- Re: Possible security issue with FreeBSD 5.4 jailing and BPF Simon L. Nielsen (Jul 12)