From owner-freebsd-security Wed Nov 29 07:27:56 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id HAA22701 for security-outgoing; Wed, 29 Nov 1995 07:27:56 -0800 Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id HAA22696 for ; Wed, 29 Nov 1995 07:27:50 -0800 Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0tKoN4-0003wGC; Wed, 29 Nov 95 07:24 PST Received: from localhost (localhost [127.0.0.1]) by critter.tfs.com (8.6.11/8.6.9) with SMTP id QAA00425; Wed, 29 Nov 1995 16:24:27 +0100 X-Authentication-Warning: critter.tfs.com: Host localhost didn't use HELO protocol To: "Andrew V. Stesin" cc: security@FreeBSD.ORG Subject: Re: chroot/setuid vs type enforcement (fwd) In-reply-to: Your message of "Wed, 29 Nov 1995 12:01:31 +0200." <199511291001.MAA15889@office.elvisti.kiev.ua> Date: Wed, 29 Nov 1995 16:24:27 +0100 Message-ID: <423.817658667@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG Precedence: bulk > Here are interesting thoughts about hardening security of chrooted > environment... > > # Let's examine one possiblity. Suppose I am using chroot() to > # protect my firewall. And the argument I want to make is that I want > # to be sure, for sure, that nobody can tweak a buffer overrun and > # call a socket from inside the chrooted area. Amongst other things in this context you need to spoof/handle: the actual pid of "PID==1", since you don't want them to send weird signals to init. /dev you probably don't even want them to be able to do a mknod... -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.