From owner-freebsd-security Sun Feb 23 00:00:42 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA27412 for security-outgoing; Sun, 23 Feb 1997 00:00:42 -0800 (PST) Received: from profane.iq.org (profane.iq.org [203.4.184.217]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA27377; Sun, 23 Feb 1997 00:00:06 -0800 (PST) Received: (from proff@localhost) by profane.iq.org (8.8.4/8.8.2) id SAA09960; Sun, 23 Feb 1997 18:54:23 +1100 (EST) From: Julian Assange Message-Id: <199702230754.SAA09960@profane.iq.org> Subject: Re: o [1997/02/01] bin/2634 rtld patches for easy creation of chroot enviroments In-Reply-To: <27770.856542186@critter.dk.tfs.com> from Poul-Henning Kamp at "Feb 21, 97 05:23:06 pm" To: phk@critter.dk.tfs.com (Poul-Henning Kamp) Date: Sun, 23 Feb 1997 18:54:22 +1100 (EST) Cc: security@freebsd.org, hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >: >I have read it twice now, to be quite honest, this sort of change scares > >: >the hell out of me. It seems like it'd be real easy to make a mondo > >: >security hole out of it due to the usual chroot() risks. No, it has the same protection that LD_PRELOAD does. > >I took a quick peek at it while looking for other security problems, > > Considering the way shared libs work, I would not trust a program in > a chroot sandbox to use the shlibs I use outside. This does >not< > in any way improve security. The only way to break out of the sandbox into the shlib image is if the vm system is broken and permits mprotect() transition to PROT_WRITE/MAP_SHARED of the shlib code area, which was opened as RDONLY and mapped PROT_READ/MAP_COPY. mmap.2 -> [EACCES] The flag PROT_READ was specified as part of the prot param- eter and fd was not open for reading. The flags PROT_WRITE, MAP_SHARED and MAP_WRITE were specified as part of the flags and prot parameters and fd was not open for writing. I haven't tested to see if the vm system is broken. If it is it must be fixed. Dyson? > Complication (and slowing down) the shlib startup is not warranted > by the gain in functionality. Did you actually look at the patch? It only requires an additional getenv (not a system call). There are several in ld.so. L("LD_LIBRARY_PATH=", 1, &ld_library_path) L("LD_PRELOAD=", 1, &ld_preload) L("LD_IGNORE_MISSING_OBJECTS=", 1, &ld_ignore_missing_objects) L("LD_TRACE_LOADED_OBJECTS=", 0, &ld_tracing) L("LD_BIND_NOW=", 0, &ld_bind_now) L("LD_SUPPRESS_WARNINGS=", 0, &ld_suppress_warnings) L("LD_WARN_NON_PURE_CODE=", 0, &ld_warn_non_pure_code) > You can obtain the same savings in disk by hardlinking the copies of > the shlibs together (since they're probably on the same filesystem anyway. Oh boy. > I vote >NO< to this change. Maybe you should read your signature first ;) > -- > Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. > http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. > whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. > Power and ignorance is a disgusting cocktail. -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery