-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-EN-07:03.rc.d_jail Errata Notice The FreeBSD Project Topic: rc.d jail script interface IP alias removal Category: core Module: etc_rc.d Announced: 2007-02-28 Credits: Philipp Wuensche Affects: FreeBSD 6.2-RELEASE. Corrected: 2007-01-02 11:14:07 UTC (RELENG_6, 6.2-STABLE) 2007-02-28 18:24:37 UTC (RELENG_6_2, 6.2-RELEASE-p2) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. The host's jail rc.d(8) script can be used to start and stop jails automatically on system boot/shutdown. The jail_interface rc.conf(5) variable can be used to automatically add and remove an IP address on a specific network interface when a jail starts and stops. II. Problem Description A cleanup of the rc.d jail script did not rename the variables used by the jail_interface feature when removing the IP address in the case where the jail startup fails. This may result in ifconfig(8) being run with incorrect arguments. III. Impact Since the wrong variable is used, in some cases, ifconfig(8) will remove an arbitrary IP address instead of the IP address of the jail if startup of a jail fails. It may be possible for a user with root access in a jail to provoke this situation by intentionally making jail startup fail. IV. Workaround Do not use the jail_interface feature; instead, manually configure IP addresses for the jails. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_2 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/EN-07:03/rc.d_jail.patch # fetch http://security.FreeBSD.org/patches/EN-07:03/rc.d_jail.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # install -o root -g wheel -m 555 etc/rc.d/jail /etc/rc.d VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/etc/rc.d/jail 1.23.2.8 RELENG_6_2 src/UPDATING 1.416.2.29.2.5 src/sys/conf/newvers.sh 1.69.2.13.2.5 src/etc/rc.d/jail 1.23.2.7.2.2 - ------------------------------------------------------------------------- The latest revision of this Errata Notice is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-07:03.rc.d_jail.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF5ct8FdaIBMps37IRAu3qAKCHNEFb/kqTVyFSllHyG6YOg+qccACfbmfI CiEeWDDU73GVG+T15VeGH2Q= =EQyo -----END PGP SIGNATURE-----