Project

General

Profile

Bug #5058

devfs doesn't apply restricted rules to jail /dev mountpoint

Added by Giacomo Pinagli over 7 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Important
Assignee:
John Hixson
Category:
Middleware
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Following this FreeBSD security advisory (http://www.freebsd.org/security/advisories/FreeBSD-SA-14:07.devfs.asc) I've checked all my running systems.

I run several jails on FreeNAS and some jails on a FreeBSD 10 system. Both are using The Warden.

What I found in both systems is the fact that root user in the jail (this is the default user) has unlimited access to /dev mounted in the jail by devfs which is a huge security issue.
An attacker that compromise a jails can for example format a system drive or have access to other sensitive devices like mem.

The issue can be solved by issuing: devfs -m ${devfs_mountpoint} rule -s 4 applyset

This is a temporary fix and it obviously resets on reboots.

Why the Warden doesen't apply the system devfs ruleset?

Associated revisions

Revision eadff4f8 (diff)
Added by John Hixson about 7 years ago

Limit jails to a single type, but still allow templates - While here, fix the devfs security issue - Added new 9.3 templates, updated pkgn with them Ticket: #5058 Ticket: #5948 Ticket: #5419

History

#1 Updated by John Hixson over 7 years ago

  • Status changed from Unscreened to Screened
  • Priority changed from Expected to Important

#2 Updated by John Hixson about 7 years ago

  • Status changed from Screened to Resolved

#3 Updated by Dru Lavigne almost 4 years ago

  • Target version set to Master - FreeNAS Nightlies

Also available in: Atom PDF