jailutils security issue, and possible issue with 'jail'
Nielsen
nielsen at memberwebs.com
Wed Jul 7 11:45:38 PDT 2004
Since some of you use the jailutils package, I just wanted to post some
additional info on the recent 'security fix' and also highlight a
possible issue with the 'jail' command.
http://memberwebs.com/nielsen/freebsd/jails/jailutils/security.html
It's not a very big issue (unless I'm missing something), simply one of
leaking the host environment into the jail.
This might be used legitimately in certain cases, but in most cases it's
probably a good idea to clear out the environment before executing the
jail() or jail_attach() syscalls.
The 'jstart' utility included in jailutils does this and it would
probably be a good addition to 'jexec' and/or 'jail'.
More information about the freebsd-security
mailing list