From owner-freebsd-security Sat Dec 19 02:22:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA21371 for freebsd-security-outgoing; Sat, 19 Dec 1998 02:22:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA21365 for ; Sat, 19 Dec 1998 02:22:46 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id FAA156180; Sat, 19 Dec 1998 05:23:37 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: References: <62537.913989002@zippy.cdrom.com> Date: Sat, 19 Dec 1998 05:22:57 -0500 To: "Marco Molteni" From: Garance A Drosihn Subject: Re: A better explanation (was: buffer overflows and chroot) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 7:57 PM +0100 12/18/98, Marco Molteni wrote: >Scenario: > > 1. Bob is a non privileged user. > 2. Bob actively searches for buffer overflows in suid binaries. > 3. if Bob is able to do his job, soon or later he'll get root. > 4. I don't mind if Bob is a good guy or a bad guy, I don't want > anybody to be root on my machines. > 5. I want to put him in a chroot jail full of suid binaries, but > suid not to root, to pseudoroot, where pseudoroot is a > non privileged user. > 6. Bob can do all his experiments in his nice jail. > 6. if Bob becomes pseudoroot, I am still safe, since: > 6.1 he is in a chroot jail > 6.2 in the jail there isn't any executable suid to a privileged > user (root, bin, whatever). > 6.3 from 6.2, he can't escape from the jail > > is 6.3 correct? >From #2, Bob is running setuid binaries. Presumably he's running a long list of common setuid binaries, otherwise it'd be pointless research. Chances are that some of those programs are ones which will only work if they run as root. (say he wanted to pursue buffer overflows in lpd, for instance. Well, to do that he needs to have lpd running, and if you're not running lpd as root then it will not run very well -- at the very least it's an invalid test of lpd). What makes you think that you can limit his research by refusing to let him run the whole class of real-world setuid programs which have to be run as root? I can just see the brief description of his research: "I am attempting to explore buffer overflows in programs which don't matter in the first place, because they have no special privs". Given the above, #6.2 is invalid. If you want #4 to be true, given #2 and #3, then Bob needs to be on a machine which is not your machine. I realize you have said that you don't have a spare machine to put him on. I am just saying that if you don't have an extra machine, then chances are good that he'll have root on your machine. And once he has root (real root) on your machine, any chroot environment that you put him in will be irrelevent. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message