FreeBSD-SA-07:01.jail
新年第一段の Security Advisory として Jail rc.d script privilege escalation が出ました。まだ announce-jp @ jp.FreeBSD.org には流れてませんね。
で、これに関して Security Officer の Colin Percival 氏が HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail というメールを投げています。細かく読めていないのでとりあえず張っておきますが、ざっと見た限りではこの問題のために FreeBSD 6.2-RELEASE の公開が遅延したみたいです。かなり厄介な問題のようですね...
Hello Everyone, I usually let security advisories speak for themselves, but I want to call special attention to this one: If you use jails, READ THE ADVISORY, in particular the "NOTE WELL" part below; and if you have problems after applying the security patch, LET US KNOW -- we do everything we can to make sure that security updates will never cause problems, but in this case we could not fix the all of the security issues without either making assumptions about how systems are configured or reducing functionality. In the end we opted to reduce functionality (the jail startup process is no longer logged to /var/log/console.log inside the jail), make an assumption about how systems are configured (filesystems which are mounted via per-jail fstab files should not be mounted on symlinks -- if you do this, adjust your fstab files to give the real, non-symlinked, path to the mount point), and leave a potential security problem unfixed (if you mount any filesystems via per-jail fstab files on mount points which are visible within multiple jails, there are problems -- don't do this). While this is not ideal, this security issue was extraordinarily messy due to the power and flexibility of the jails and the jail rc.d script. I can't recall any other time when the security team has spent this long trying to find a working patch for a security issue. I'd like to publicly thank Simon Nielsen for the many many hours he spent working on this issue, as well as the release engineering team for being very patient with us and delaying the upcoming release to give us time to fix this. Sincerely, Colin Percival FreeBSD Security Officer