From owner-freebsd-security Sun Feb 23 06:21:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA11828 for security-outgoing; Sun, 23 Feb 1997 06:21:21 -0800 (PST) Received: from profane.iq.org (profane.iq.org [203.4.184.217]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA11822; Sun, 23 Feb 1997 06:21:14 -0800 (PST) Received: (from proff@localhost) by profane.iq.org (8.8.4/8.8.2) id BAA10178; Mon, 24 Feb 1997 01:16:47 +1100 (EST) From: Julian Assange Message-Id: <199702231416.BAA10178@profane.iq.org> Subject: Re: o [1997/02/01] bin/2634 rtld patches for easy creation of chroot enviroments In-Reply-To: <3.0.32.19970223144902.00c19100@dimaga.com> from Eivind Eklund at "Feb 23, 97 02:49:03 pm" To: eivind@dimaga.com (Eivind Eklund) Date: Mon, 24 Feb 1997 01:16:47 +1100 (EST) Cc: hackers@freebsd.org, security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Not quite. If we allow users to do this to setuid binaries, they can make > setuid programs read dangerous config files, and exploit the new behaviour. > A really simple example would be to create a fake /etc with a new > master.passwd and run su. Sure, you have su only in the chroot()ed > environment, but you could easily create a new suid binary... > > There is a reason chroot() is restricted to root, and I think we'd better > keep that. If the patch was changed to restrict use to non-suid only (ie, > root only), I'd be much more comfortable with it. It is restricted to non-suid, just the same as LD_PRELOAD is. There is an "unsafe" field in the scan_tab for all enviromental variables used by ld.so. It's set to on for LD_CHROOT. You may want to have a look at this before presuming I'm a complete fool ;) -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery