From kostikbel@gmail.com Thu May 26 00:53:53 2011 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A01F106566B for ; Thu, 26 May 2011 00:53:53 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 0F9098FC0C for ; Thu, 26 May 2011 00:53:52 +0000 (UTC) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id p4Q0IK1D045088 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 26 May 2011 03:18:20 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4) with ESMTP id p4Q0IKIC016134; Thu, 26 May 2011 03:18:20 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4/Submit) id p4Q0IHMr016133; Thu, 26 May 2011 03:18:17 +0300 (EEST) (envelope-from kostikbel@gmail.com) Message-Id: <20110526001815.GD48734@deviant.kiev.zoral.com.ua> Date: Thu, 26 May 2011 03:18:17 +0300 From: Kostik Belousov To: Chris Rees Cc: Colin Percival , bug-followup@freebsd.org, Benedict Reuschling , Jilles Tjoelker In-Reply-To: Subject: Re: Fwd: docs/156853: [patch] Update docs: jail(8) security issues with world-readable jail root References: <4DD90459.3010200@FreeBSD.org> <20110522191752.GR48734@deviant.kiev.zoral.com.ua> <4DDB76E7.4020602@freebsd.org> >Number: 157328 >Category: docs >Synopsis: Re: docs/156853: [patch] Update docs: jail(8) security issues with world-readable jail root >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-doc >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 26 01:00:20 UTC 2011 >Closed-Date: Thu May 26 14:05:46 UTC 2011 >Last-Modified: Thu May 26 14:05:46 UTC 2011 >Originator: >Release: >Organization: >Environment: >Description: --E+86ihFF7hRL3Z+M Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 25, 2011 at 06:52:03PM +0100, Chris Rees wrote: > Thanks for the input from kib@, bcr@, jilles@ and cperciva@ there's a > new patch for each [1,2]. >=20 > Chris >=20 > [1] http://www.bayofrum.net/~crees/patches/jail-secure-handbook_2.diff > [2] http://www.bayofrum.net/~crees/patches/jail-secure-manpage_2.diff Now you are referencing some unspecified "file descriptors" handling issues that are present for nullfs but not for NFS. What are they ? Please do not mention me in any way if the patches happen to land in our repository. BTW, do we also put such verbose wording somewhere for the "security" issue of removing not writable / not owned files in the directory writable by some user ? --E+86ihFF7hRL3Z+M Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEARECAAYFAk3dnEcACgkQC3+MBN1Mb4jOiwCg5WAXAI6e/ujA88Ems89Ihwe0 neAAn0ISQsydOHb1JZcLHsCwgFsWc6mW =riqH -----END PGP SIGNATURE----- --E+86ihFF7hRL3Z+M-- >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: linimon State-Changed-When: Thu May 26 14:03:09 UTC 2011 State-Changed-Why: Misfiled followup to docs/156853; content migrated. Responsible-Changed-From-To: gnats-admin->freebsd-doc Responsible-Changed-By: linimon Responsible-Changed-When: Thu May 26 14:03:09 UTC 2011 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=157328 >Unformatted: