From owner-freebsd-security  Tue Dec 22 07:31:09 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA03570
          for freebsd-security-outgoing; Tue, 22 Dec 1998 07:31:09 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from k6n1.znh.org (dialup9.gaffaneys.com [208.155.161.59])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA03559
          for <freebsd-security@FreeBSD.ORG>; Tue, 22 Dec 1998 07:30:57 -0800 (PST)
          (envelope-from zach@gaffaneys.com)
Received: (from zach@localhost)
	by k6n1.znh.org (8.9.1/8.9.1) id PAA31487;
	Tue, 22 Dec 1998 15:28:31 GMT
	(envelope-from zach)
Message-ID: <19981222092831.A31250@znh.org>
Date: Tue, 22 Dec 1998 09:28:31 -0600
From: Zach Heilig <zach@gaffaneys.com>
To: Harold Gutch <logix@foobar.franken.de>, Garance A Drosihn <drosih@rpi.edu>,
        Marco Molteni <molter@tin.it>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: A better explanation (was: buffer overflows and chroot)
References: <62537.913989002@zippy.cdrom.com> <Pine.BSF.3.96.981218193124.339A-100000@nympha> <v04011701b2a129cee810@[128.113.24.47]> <19981221174222.A1588@foobar.franken.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <19981221174222.A1588@foobar.franken.de>; from Harold Gutch on Mon, Dec 21, 1998 at 05:42:22PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Dec 21, 1998 at 05:42:22PM +0100, Harold Gutch wrote:
> > >From #2, Bob is running setuid binaries.  Presumably he's running a

> Binaries suid to some _unprivileged_ user.
> That's the whole point Marco is trying to make here.
> "bob" will eventually manage to become some other user.

> So, in case "bob" manages to exploit some buffer overflow or
> whatever other bugs your suid binary has, he will only be able to
> become another _unprivileged_ user.
> Unless he can do further harm from this uid, you are safe.
> He will not be able to break out of the chroot-jail unless himself
> is root (at least I have no idea how you'd break out being a
> normal unprivileged user).

There is no need to break out of the chroot environment after finding a
working attack.

Assuming that "bob" is attacking what is normally an suid-root binary, and
assuming this "bob" has a regular account as well, any attack that works
against the suid-non-root user binary, also works against the (otherwise
identical) suid-root binary.

A non-priviledged user does not buy anything, if there is any worry that this
"bob" wants perform malicious acts as root.

-- 
Zach Heilig (zach@gaffaneys.com)
Our one strength was that our senior officers were more flexible than theirs...
How's that?
We can customize our colonels.   [ Illiad in User Friendly, Dec. 1, 1998 ]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message