From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 20:35:23 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1361F106566C; Thu, 29 Dec 2011 20:35:23 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id 7964C8FC15; Thu, 29 Dec 2011 20:35:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.5/8.14.5) with ESMTP id pBTKZG58051235; Fri, 30 Dec 2011 00:35:16 +0400 (MSK) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.5/8.14.5/Submit) id pBTKZGeJ051234; Fri, 30 Dec 2011 00:35:16 +0400 (MSK) (envelope-from ache) Date: Fri, 30 Dec 2011 00:35:16 +0400 From: Andrey Chernov To: d@delphij.net Message-ID: <20111229203515.GA51102@vniz.net> Mail-Followup-To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> <20111229183606.GA48785@vniz.net> <4EFCBC60.3080607@delphij.net> <20111229194229.GA49908@vniz.net> <4EFCCA63.5070409@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EFCCA63.5070409@delphij.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.ORG, Doug Barton , John Baldwin Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 20:35:23 -0000 On Thu, Dec 29, 2011 at 12:15:31PM -0800, Xin Li wrote: > > Instead of total disabling we can (by calling rtld function) > > restrict dlopen() in ftpd() to absolute path of know safe > > directories list like "/etc" "/lib" "/usr/lib" etc. > > This just came back to the origin!! These "safe" locations are never > necessarily be safe inside a chroot environment and the issue was > exactly loading a library underneath /lib/. > > I just realized that someone have removed some details from my > advisory draft by the way. To clarify: the chroot issue is not about > the usual usage of chroot, but the fact that many chroot setups are > not safe (e.g. "recommended" practice is to create a user writable > directory under the chroot root with everything else read-only). Unsecure (non-root /lib) may happens by admin mistake which is very different situation from loading .so from the current (say /incoming/) directory. We can't provide babysitting for every admin by our code, but can by our documentation only (probably by repeating the same thing in ftpd docs and chroot docs). And many admins don't needs babysitting and may take it as unnecessary restriction. -- http://ache.vniz.net/