From owner-freebsd-security Sat Dec 19 06:02:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA10626 for freebsd-security-outgoing; Sat, 19 Dec 1998 06:02:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fep04-svc.tin.it (mta04-acc.tin.it [212.216.176.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA10621 for ; Sat, 19 Dec 1998 06:02:55 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.1.195]) by fep04-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19981219140246.CCWY25703.fep04-svc@nympha.ecomotor.it> for ; Sat, 19 Dec 1998 15:02:46 +0100 Received: (qmail 676 invoked by uid 1000); 19 Dec 1998 13:59:07 -0000 From: "Marco Molteni" Date: Sat, 19 Dec 1998 14:59:07 +0100 (CET) X-Sender: molter@nympha To: Garance A Drosihn cc: freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Dec 1998, Garance A Drosihn wrote: > Marco Molteni wrote: > >Scenario: > > > > 1. Bob is a non privileged user. > > 2. Bob actively searches for buffer overflows in suid binaries. > > 3. if Bob is able to do his job, soon or later he'll get root. > > 4. I don't mind if Bob is a good guy or a bad guy, I don't want > > anybody to be root on my machines. > > 5. I want to put him in a chroot jail full of suid binaries, but > > suid not to root, to pseudoroot, where pseudoroot is a > > non privileged user. > > 6. Bob can do all his experiments in his nice jail. > > 6. if Bob becomes pseudoroot, I am still safe, since: > > 6.1 he is in a chroot jail > > 6.2 in the jail there isn't any executable suid to a privileged > > user (root, bin, whatever). > > 6.3 from 6.2, he can't escape from the jail > > > > is 6.3 correct? > > From #2, Bob is running setuid binaries. Presumably he's running a long > list of common setuid binaries, otherwise it'd be pointless research. Yes, this is what I think. > Chances are that some of those programs are ones which will only work > if they run as root. (say he wanted to pursue buffer overflows in lpr, > for instance. Well, to do that he needs to have lpd running, and if > you're not running lpd as root then it will not run very well -- at the > very least it's an invalid test of lpd). I see your point > What makes you think that you can limit his research by refusing to let > him run the whole class of real-world setuid programs which have to be > run as root? As many already said, the only reasonable thing to do was, from the start, to give him spare machines to play with. Sometimes you have to accept situations you don't like. Since I have to give him an account, to limit the damages I'll put him in a custom tailored jail. If he is not comfortable with the environment / cannot do his tests, he'll have to physically bring in front of me my professor asking for more. At that time, I'll fight ;-) Marco To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message