Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Dec 2011 11:21:27 -0800
From:      Xin Li <delphij@delphij.net>
To:        John Baldwin <jhb@freebsd.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, d@delphij.net, Colin Percival <cperciva@freebsd.org>
Subject:   Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...
Message-ID:  <4EF4D4B7.7020109@delphij.net>
In-Reply-To: <201112231058.46642.jhb@freebsd.org>
References:  <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112231058.46642.jhb@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/23/11 07:58, John Baldwin wrote:
> On Friday, December 23, 2011 10:00:38 am Colin Percival wrote:
>> Author: cperciva Date: Fri Dec 23 15:00:37 2011 New Revision:
>> 228843 URL: http://svn.freebsd.org/changeset/base/228843
>> 
>> Log: Fix a problem whereby a corrupt DNS record can cause named
>> to crash. [11:06]
>> 
>> Add an API for alerting internal libc routines to the presence
>> of "unsafe" paths post-chroot, and use it in ftpd. [11:07]
> 
> Eh, the whole libc_dlopen() thing looks like a gross hack (and who
> came up with that weird symbol name for a public API????).  Is it
> really even needed given the other fix to have ftpd drop privilege
> before execing a helper program?  I guess the main reason I don't
> like it is it doesn't do

This is not sufficient if only privileges are dropped.  The attacker
can still get e.g. a shell or start an IRC bot if the application is
not careful enough.

The current form the patch is, is based on a lengthy discussion
between secteam@ and re@ and we did thought about other alternatives,
like using a wrapper around chroot(2) and contain everything in it, or
check permissions on certain "important" files, etc.  These would
require changes to chroot(2) semantics which could break existing
installations and the outcome could be quite silent which eventually
results in this.

Cheers,
- -- 
Xin LI <delphij@delphij.net>	https://www.delphij.net/
FreeBSD - The Power to Serve!		Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk701LcACgkQOfuToMruuMAoqACgiDXP636IAhXnEpa54UBQa9SW
2ncAnRulYPS4+BtqizIP2BEiu4bhmJss
=C2U1
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EF4D4B7.7020109>