On 2005.07.11 23:54:15 +0200, ronvdaal wrote: > While playing around with FreeBSD 5.4 and jailing I discovered that it was > possible to put an ethernet interface into promiscious mode from within the > jailed environment, allowing a packetsniffer to gather data not meant for > the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x > This can be reproduced on boxes where BPF support is enabled in the kernel > and a BPF device is available in the jail (badly configured devfs/no rules) [...] > Usage of devfs rulesets is highly recommended as stated in the manpages. > Though a misconfiguration at this point would expose a big security issue. > The question is: should bpfopen() in bpf.c check for a jailed proc or not? This is not really a security bug since, as stated in the jail(8) manual, you should use devfs rulesets if you are using jails as a security measure. Exposing a complete /dev file-system inside a jail is a bad idea security wise, not just with regards to BPF. -- Simon L. Nielsen FreeBSD Security Team
Attachment:
pgpEuwXY4grmp.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/