Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» FreeBSD » Jail startup script conflicts

Jail startup script conflicts

The names of several internal variables in the jail startup script conflicted with those of global variables that could be set by administrators. In addition, some configuration variables are not properly validated in the jail startup script.

  • Vendor: FreeBSD
  • Vendor ID: EN-06:01.jail
  • Date: July 07, 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FreeBSD-EN-06:01.jail Errata Notice
The FreeBSD Project

Topic: Jail startup scripts may override some global jail_*
variables.

Category: core
Module: etc_rc.d
Announced: 2006-07-07
Credits: Florent Thoumie, Pawel Dawidek, Cheng-Lung Sung
Affects: FreeBSD 6.1-RELEASE
Corrected: 2006-07-07 07:25:21 UTC

I. Background

System startup scripts, typically in /etc/rc.d, control what happens
as a system boots to multi-user mode. The behavior of those scripts
can be controlled by "global" variables in /etc/rc.conf.

II. Problem Description

The names of several internal variables in the jail startup script
conflicted with those of global variables that could be set by
administrators. In addition, some configuration variables are not
properly validated in the jail startup script.

III. Impact

Jails may not have started up as the administrator intended. If some
configuration variables required by jail configuration in /etc/rc.conf
are not correctly set jail startup may have been attempted by the script
anyway.

IV. Solution

Do one of the following to update the source tree:

1) Upgrade your affected system to the RELENG_6_1 errata branch dated
after the correction date using cvsup(1) or cvs(1). This is the
preferred method. For information on how to use cvsup(1) to update
your source code see:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

2) Obtain the updated files using the cvsweb interface. Cvsweb is a
Web interface to the CVS repository. The URL to the general
interface is "http://www.freebsd.org/cgi/cvsweb.cgi/". You can
obtain any of the source files for the RELENG_6_1 branch by going
to the src directory ("http://www.freebsd.org/cgi/cvsweb.cgi/src")
and then selecting the "RELENG_6_1" branch tag. With the branch
tag set navigate to the files listed below in the "Correction
details" section and download them, making sure you get the correct
revision numbers. Copy the downloaded files into your /usr/src tree.

If using the second procedure you should make sure you have used that
same procedure to download all previous Errata Notices and Security
Advisories. We strongly discourage this procedure due to the problems
that may be caused by not doing that - using the first procedure takes
care of making sure all updates get applied.

Then use mergemaster(8) to install the updated startup script support. Note
that mergemaster(8) will expect to find a normal object file tree having
resulted from doing 'make world' in /usr/src, and will build one if it
does not exist. If you do not have a recent object file tree you may
want to just manually copy the src/etc/rc.d/jail and src/etc/defaults/rc.conf
files into place.

V. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

- ---------------------------------------------------------------------------
RELENG_6_1

Revision Changes Path
1.416.2.22.2.5 +3 -0 src/UPDATING
1.23.2.3.2.2 +102 -91 src/etc/rc.d/jail
1.69.2.11.2.5 +1 -1 src/sys/conf/newvers.sh

- ---------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFErgzzFdaIBMps37IRAh17AJwLueUv5ZzXrbZG8qtL1lwgpPZCCgCfYGxE
2oAorGMRBTbqVx/YhKJX1lA=
=Lmti
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »