FreeBSD Jail Utilities: Security Fix

Over the last few days some posts and notices have been going around about a security bug in jailutils 0.5.4 and earlier and that 0.6 fixes these issues. As these notices have very little information I wanted to take a minute to describe the problem for interested sysadmins.

There is no known 'security bug' in jailutils earlier than 0.6. Instead a new utility was added called jstart. This command is a more secure way of starting a jail than FreeBSD's jail command.

The jail command does not purge the environment before executing the jailed process. In this way certain information could leak into the jail from the host system. In many cases this may be seen as a feature, especially in the case of a single executable running inside a jail. However in the case of a full blown jail (one that mimics a full system) this is usually not desired.

The jstart utility was created to address this issue. The man pages fully document the differences and the reasons for this addition.

(Note: I've done my best to develop these utilities securely. However if you do find a security issue don't hesitate to contact me and I'll address it promptly.)

   [ jailutils ] [ home page ]