From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 08:42:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAF4037B401 for ; Sun, 13 Apr 2003 08:42:36 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68BC343FD7 for ; Sun, 13 Apr 2003 08:42:33 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h3DFfohJ093360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 13 Apr 2003 18:41:54 +0300 (EEST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h3DFfkJL093347; Sun, 13 Apr 2003 18:41:46 +0300 (EEST) (envelope-from ru) Date: Sun, 13 Apr 2003 18:41:46 +0300 From: Ruslan Ermilov To: Mark Shepard Message-ID: <20030413154146.GB92320@sunbay.com> References: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="St7VIuEGZ6dlpu13" Content-Disposition: inline In-Reply-To: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: chroot() as non-root user? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 15:42:37 -0000 --St7VIuEGZ6dlpu13 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 13, 2003 at 10:20:35AM -0500, Mark Shepard wrote: >=20 > I suspect this has been asked before but I'll ask anyway. >=20 > Q1: Is it possible for a non-root process to perform a chroot? >=20 > My interest is this: I have a typical ISP hosting account (verio; on a= =20 > FreeBSD 4.4 server.) I'd like to install and run various CGI packages, y= et=20 > protect myself (and my email, and my .ssh keys) from bugs being exploited= =20 > in those CGI packages. Chroot at the start of each CGI would do the tric= k,=20 > but requires root. I suspect the answer here is "only root can do this".= =2E.=20 > which leads me to ask, in general: >=20 Yes. > Q2: Why is chroot() only available to root? I'm aware of *one* security= =20 > issue: if a non-root user can perform chroot(), they can alter the=20 > name-space "seen" by setuid programs, and potentially compromise them=20 > (assuming a user-writable directory [like /tmp] on the same partition as = a=20 > setuid program.) Are there any other reasons? (Besides the issues with= =20 > fchdir() which I assume are adequately fixed). Assuming there aren't any= =20 > other issues leads to my last Q... Actually, a proposal: >=20 You could then staff ${CHROOTDIR}/etc with arbitrary password databases that would allow you to su(1) there and do anything as root, e.g., ifconfig(8). > Q3: Why not allow non-root users to chroot() _as long as the target dir.= =20 > is on a partition mounted nosuid_? Seems like this would be a simple=20 > mechanism (both to understand and to implement) and would allow regular= =20 > users to take advantage of chroot to improve the security of scripts, CGI= s,=20 > etc. >=20 chroot(2) has no effect on the process's current directory; you could hide (hard-link) the setuid program (su(1)) there, so removing this protection on the syscall level can easily result in a compromise. chroot(8) changes the current working directory, but it's not setuid root. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --St7VIuEGZ6dlpu13 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+mYU6Ukv4P6juNwoRAjNaAJ4n8cni+m/6LgcrQoxMPKZ0tkVKWgCfX77s AOJJeJwuWYZEZZycYM9oLzQ= =l6XO -----END PGP SIGNATURE----- --St7VIuEGZ6dlpu13--