freebsd security - Oct 2003 - jail + devfs + snp problem (FreeBSD 5.1-RELEASE-p10)

shell# /sbin/devfs rule -s 2 delset
shell# /sbin/devfs rule -s 2 add hide
shell# /sbin/devfs rule -s 2 add path random unhide
shell# /sbin/devfs rule -s 2 add path urandom unhide
shell# /sbin/devfs rule -s 2 add path zero unhide
shell# /sbin/devfs rule -s 2 add path pty\* unhide
shell# /sbin/devfs rule -s 2 add path pty\* unhide
shell# /sbin/devfs rule -s 2 add path tty\* unhide
shell# /sbin/mount_devfs devfs /storage0/site/dev
shell# /sbin/devfs -m /storage0/site/dev ruleset 2
shell# cd /storage0/site/dev
shell# ls
fd      ptyp6   ptypf   ptypo   ttyld0  ttyp7   ttypg   ttypp   ttyv6   ttyvf
net     ptyp7   ptypg   ptypp   ttyld1  ttyp8   ttyph   ttypq   ttyv7   urandom
null    ptyp8   ptyph   ptypq   ttyp0   ttyp9   ttypi   ttypr   ttyv8   zero
ptyp0   ptyp9   ptypi   ptypr   ttyp1   ttypa   ttypj   ttyv0   ttyv9
ptyp1   ptypa   ptypj   random  ttyp2   ttypb   ttypk   ttyv1   ttyva
ptyp2   ptypb   ptypk   ttyd0   ttyp3   ttypc   ttypl   ttyv2   ttyvb
ptyp3   ptypc   ptypl   ttyd1   ttyp4   ttypd   ttypm   ttyv3   ttyvc
ptyp4   ptypd   ptypm   ttyid0  ttyp5   ttype   ttypn   ttyv4   ttyvd
ptyp5   ptype   ptypn   ttyid1  ttyp6   ttypf   ttypo   ttyv5   ttyve

Everything looks great, but:

shell# w -n
USER             TTY      FROM              LOGIN@  IDLE WHAT
root             pm       ???               ???        - w -n
shell# jexec 1 /bin/sh
# cd /dev
# ls -al snp*
ls: snp*: No such file or directory
# watch -W pm
shell# id
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)

And I'm outside !

In message <3F92FE5B.5070709@bsk.vectranet.pl>, Adam Nowacki writes:
>shell# /sbin/devfs rule -s 2 delset
>shell# /sbin/devfs rule -s 2 add hide
>shell# /sbin/devfs rule -s 2 add path random unhide
>shell# /sbin/devfs rule -s 2 add path urandom unhide
>shell# /sbin/devfs rule -s 2 add path zero unhide
>shell# /sbin/devfs rule -s 2 add path pty\* unhide
>shell# /sbin/devfs rule -s 2 add path pty\* unhide
>shell# /sbin/devfs rule -s 2 add path tty\* unhide
>shell# /sbin/mount_devfs devfs /storage0/site/dev
Running
	ls -l /storage0/site/dev/snp*

will undoubtedly show one or more snp* devices.
>shell# /sbin/devfs -m /storage0/site/dev ruleset 2
This only makes the ruleset apply to devices created in the future.

To also apply it to currently created devices, you should also
give the command:

	/sbin/devfs -m /storage0/site/dev rule applyset

After which any snp* (and other filtered) devices will be gone.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.