Date: Fri, 30 Dec 2011 00:35:16 +0400 From: Andrey Chernov <ache@FreeBSD.ORG> To: d@delphij.net Cc: freebsd-security@FreeBSD.ORG, Doug Barton <dougb@FreeBSD.ORG>, John Baldwin <jhb@FreeBSD.ORG> Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... Message-ID: <20111229203515.GA51102@vniz.net> In-Reply-To: <4EFCCA63.5070409@delphij.net> References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <CAGMYy3uzLXMvw40q1hM9dnHGxxh%2BeO_8Y1nbNKsPSB_Aenmm7w@mail.gmail.com> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> <20111229183606.GA48785@vniz.net> <4EFCBC60.3080607@delphij.net> <20111229194229.GA49908@vniz.net> <4EFCCA63.5070409@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 29, 2011 at 12:15:31PM -0800, Xin Li wrote: > > Instead of total disabling we can (by calling rtld function) > > restrict dlopen() in ftpd() to absolute path of know safe > > directories list like "/etc" "/lib" "/usr/lib" etc. > > This just came back to the origin!! These "safe" locations are never > necessarily be safe inside a chroot environment and the issue was > exactly loading a library underneath /lib/. > > I just realized that someone have removed some details from my > advisory draft by the way. To clarify: the chroot issue is not about > the usual usage of chroot, but the fact that many chroot setups are > not safe (e.g. "recommended" practice is to create a user writable > directory under the chroot root with everything else read-only). Unsecure (non-root /lib) may happens by admin mistake which is very different situation from loading .so from the current (say /incoming/) directory. We can't provide babysitting for every admin by our code, but can by our documentation only (probably by repeating the same thing in ftpd docs and chroot docs). And many admins don't needs babysitting and may take it as unnecessary restriction. -- http://ache.vniz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111229203515.GA51102>