From owner-freebsd-security@FreeBSD.ORG Tue Jul 17 03:40:47 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 50A2E16A402 for ; Tue, 17 Jul 2007 03:40:47 +0000 (UTC) (envelope-from stef@memberwebs.com) Received: from mx.npubs.com (mail.wsfamily.com [209.66.100.224]) by mx1.freebsd.org (Postfix) with ESMTP id 3E2EF13C4A7 for ; Tue, 17 Jul 2007 03:40:47 +0000 (UTC) (envelope-from stef@memberwebs.com) Received: from mx.npubs.com (avhost [209.66.100.194]) by mx.npubs.com (Postfix) with ESMTP id 84914D4F8F for ; Tue, 17 Jul 2007 03:22:04 +0000 (UTC) Received: from northstar-srv2 (unknown [172.27.2.11]) by mx.npubs.com (Postfix) with ESMTP id 09BA8D4F8E for ; Tue, 17 Jul 2007 03:22:03 +0000 (UTC) From: Stef Walter User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20070717032204.09BA8D4F8E@mx.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Tue, 17 Jul 2007 03:22:04 +0000 (UTC) X-Mailman-Approved-At: Tue, 17 Jul 2007 04:13:41 +0000 Subject: kern.chroot_allow_open_directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2007 03:40:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The chroot(2) man page describes a sysctl called 'kern.chroot_allow_open_directories' which controls whether a process can chroot() and is already subject to the chroot() syscall. It seems that this sysctl can be trivially changed from within a chroot'd process (ie: if that process has superuser privileges). Is this sysctl meant to prevent breaking out of a chroot? Or am I missing the point of 'kern.chroot_allow_open_directories'? Cheers, Stef -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGnC7+e/sRCNknZa8RAhaJAKCSioePX83kGugueXzjs8MSz3KN+wCgmzMl FvJxyklaeTGOcN1NSjl/llY= =mrWp -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jul 19 10:19:21 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2270016A400 for ; Thu, 19 Jul 2007 10:19:21 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id D5D6613C494 for ; Thu, 19 Jul 2007 10:19:20 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 867AA2091; Thu, 19 Jul 2007 12:02:17 +0200 (CEST) X-Spam-Tests: AWL,DATE_IN_PAST_24_48 X-Spam-Learn: disabled X-Spam-Score: 0.8/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 0B98B2115; Thu, 19 Jul 2007 12:00:46 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id 7BB345311; Tue, 17 Jul 2007 12:45:40 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Stef Walter References: <20070717032204.09BA8D4F8E@mx.npubs.com> Date: Tue, 17 Jul 2007 12:45:40 +0200 In-Reply-To: <20070717032204.09BA8D4F8E@mx.npubs.com> (Stef Walter's message of "Tue\, 17 Jul 2007 03\:22\:04 +0000 \(UTC\)") Message-ID: <86lkdfb963.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: kern.chroot_allow_open_directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 10:19:21 -0000 Stef Walter writes: > The chroot(2) man page describes a sysctl called > 'kern.chroot_allow_open_directories' which controls whether a process > can chroot() and is already subject to the chroot() syscall. > > It seems that this sysctl can be trivially changed from within a > chroot'd process (ie: if that process has superuser privileges). That's what securelevels are for. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Jul 19 18:00:00 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 61E6316A400 for ; Thu, 19 Jul 2007 18:00:00 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (aberdeen.thelostparadise.com [193.202.115.174]) by mx1.freebsd.org (Postfix) with ESMTP id 2B53513C4AA for ; Thu, 19 Jul 2007 17:59:59 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from [192.168.1.10] (s55915f73.adsl.wanadoo.nl [85.145.95.115]) by mail.thelostparadise.com (Postfix) with ESMTP id AD53D61C1F; Thu, 19 Jul 2007 19:35:11 +0200 (CEST) Message-ID: <469FA0D1.7000304@thedarkside.nl> Date: Thu, 19 Jul 2007 19:35:13 +0200 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.4 (X11/20070707) MIME-Version: 1.0 To: Stef Walter References: <20070717032204.09BA8D4F8E@mx.npubs.com> In-Reply-To: <20070717032204.09BA8D4F8E@mx.npubs.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: kern.chroot_allow_open_directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 18:00:00 -0000 Stef Walter wrote: > The chroot(2) man page describes a sysctl called > 'kern.chroot_allow_open_directories' which controls whether a process > can chroot() and is already subject to the chroot() syscall. > > It seems that this sysctl can be trivially changed from within a > chroot'd process (ie: if that process has superuser privileges). > > Is this sysctl meant to prevent breaking out of a chroot? Or am I > missing the point of 'kern.chroot_allow_open_directories'? > If the sysctl was set to 0 at the moment chroot() was called, then the chroot() would have failed if the calling process had open directories (that's what the sysctl is meant to do, if I'm understanding the source right). If directories weren't open, the chroot() would work, but the process would obviously not be able to open directories outside the chroot after that, even if you'd set the sysctl to 1. As I see it, there's no problem here, but could be wrong; chroot() is tricky afaik.. -- Pieter From owner-freebsd-security@FreeBSD.ORG Thu Jul 19 20:57:27 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 507E816A402 for ; Thu, 19 Jul 2007 20:57:27 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mx.npubs.com (mail.wsfamily.com [209.66.100.224]) by mx1.freebsd.org (Postfix) with ESMTP id 3DD6013C491 for ; Thu, 19 Jul 2007 20:57:27 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mx.npubs.com (avhost [209.66.100.194]) by mx.npubs.com (Postfix) with ESMTP id 6A01ED4C17; Thu, 19 Jul 2007 20:34:29 +0000 (UTC) Received: from northstar-srv2 (unknown [172.27.2.11]) by mx.npubs.com (Postfix) with ESMTP id C44AAD4C09; Thu, 19 Jul 2007 20:34:28 +0000 (UTC) From: Stef Walter User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: Pieter de Boer References: <20070717032204.09BA8D4F8E@mx.npubs.com> <469FA0D1.7000304@thedarkside.nl> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20070719203428.C44AAD4C09@mx.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Thu, 19 Jul 2007 20:34:29 +0000 (UTC) X-Mailman-Approved-At: Thu, 19 Jul 2007 21:07:33 +0000 Cc: freebsd-security@freebsd.org Subject: Re: kern.chroot_allow_open_directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: stef@memberwebs.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 20:57:27 -0000 Pieter de Boer wrote: >> Is this sysctl meant to prevent breaking out of a chroot? Or am I >> missing the point of 'kern.chroot_allow_open_directories'? >> > If the sysctl was set to 0 at the moment chroot() was called, then the > chroot() would have failed if the calling process had open directories > (that's what the sysctl is meant to do, if I'm understanding the source > right). If directories weren't open, the chroot() would work, but the > process would obviously not be able to open directories outside the > chroot after that, even if you'd set the sysctl to 1. > > As I see it, there's no problem here, but could be wrong; chroot() is > tricky afaik.. Yes, it sure is. However if a root process inside the chroot jail reset that sysctl, after which it seems it could perform the usual break out thingy: http://www.bpfh.net/simes/computing/chroot-break.html I guess what I was wondering, is if FreeBSD is in fact immune to this attack, and whether it makes sense to chroot superuser processes on FreeBSD. Cheers, Stef