Bug 204897

Summary: [jail] Jail names cannot start with a '0', resulting in 'jail: name cannot be numeric (unless it is the jid)'
Product: Base System Reporter: Sergey Zakharchenko <doublef.mobile>
Component: kernAssignee: Jamie Gritton <jamie>
Status: Closed FIXED    
Severity: Affects Some People CC: jamie
Priority: --- Keywords: patch
Version: 10.2-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Untested sample patch
none
check for non-numeric or canonical jid none

Description Sergey Zakharchenko 2015-11-29 18:13:10 UTC
Created attachment 163656 [details]
Untested sample patch

If, for example, the following command starts a jail:

# jail -n someday ...

and so does the following command:

# jail -n 1day ...

this one doesn't:

# jail -n 0day /var/empty empty 10.0.0.1 /bin/sh
jail: name cannot be numeric (unless it is the jid)

Apart from people making up stupid names for jails, this affects anyone trying to run Docker on FreeBSD. The behavior is due to a bug in sys/kern/kern_jail.c's detection of numeric JIDs, which dates back to 2009:

https://svnweb.freebsd.org/base/head/sys/kern/kern_jail.c?revision=285685&view=markup

> else if (*namelc == '0' || (strtoul(namelc, &p, 10) != jid && *p == '\0')))

It thinks everything that starts with a '0' is numeric, and doesn't
check that it's the only character, e.g. namelc[1] == '\0'. Untested sample patch is attached.
Comment 1 Jamie Gritton freebsd_committer freebsd_triage 2015-12-10 19:19:30 UTC
Created attachment 164084 [details]
check for non-numeric or canonical jid

I'm trying to remember a few years back, but I think the reason I checked for namelc[0] == '0' is to weed out leading zeroes (since the "!= jid" test will already catch a name of "0").  That was clearly not done right.

This patch will allow any name that's not fully numeric, such as your "0day" example, also the jid in normal form (no leading zero, space, '+'), but no other fully numeric names.  I'll submit it shortly unless anyone sees some problem.
Comment 2 commit-hook freebsd_committer freebsd_triage 2015-12-15 17:25:18 UTC
A commit references this bug:

Author: jamie
Date: Tue Dec 15 17:25:00 UTC 2015
New revision: 292277
URL: https://svnweb.freebsd.org/changeset/base/292277

Log:
  Fix jail name checking that disallowed anything that starts with '0'.
  The intention was to just limit leading zeroes on numeric names.  That
  check is now improved to also catch the leading spaces and '+' that
  strtoul can pass through.

  PR:		204897
  MFC after:	3 days

Changes:
  head/sys/kern/kern_jail.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2015-12-18 00:33:51 UTC
A commit references this bug:

Author: jamie
Date: Fri Dec 18 00:33:03 UTC 2015
New revision: 292415
URL: https://svnweb.freebsd.org/changeset/base/292415

Log:
  MFC r292277:

    Fix jail name checking that disallowed anything that starts with '0'.
    The intention was to just limit leading zeroes on numeric names.  That
    check is now improved to also catch the leading spaces and '+' that
    strtoul can pass through.

  PR:		204897

Changes:
_U  stable/9/sys/
  stable/9/sys/kern/kern_jail.c
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-12-18 00:33:53 UTC
A commit references this bug:

Author: jamie
Date: Fri Dec 18 00:33:04 UTC 2015
New revision: 292416
URL: https://svnweb.freebsd.org/changeset/base/292416

Log:
  MFC r292277:

    Fix jail name checking that disallowed anything that starts with '0'.
    The intention was to just limit leading zeroes on numeric names.  That
    check is now improved to also catch the leading spaces and '+' that
    strtoul can pass through.

  PR:		204897

Changes:
_U  stable/10/
  stable/10/sys/kern/kern_jail.c