From owner-svn-src-all@FreeBSD.ORG Fri Dec 23 19:21:28 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8BA51065670; Fri, 23 Dec 2011 19:21:28 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 88B148FC0C; Fri, 23 Dec 2011 19:21:28 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 511A4149CA; Fri, 23 Dec 2011 11:21:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1324668088; bh=d+/C7/6j0myvbk8B+aIufy/BxWIDZ9A/+Ojup628lz4=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=npCaUmPBNwKKaHZKJXCXrqCiS1qcXYEViYzhbdnHRlV1/5UCcR2h4w34lYiwEX+tW NiwzK99yf3tOA8io6ne26iMhYLX/QIcYUkCYeFX5o8WVXkyz378VzwS41LckMoIWPy woswGexKspLI/u2tY3Cpf0rEdqjgrZCwUYKXrtek= Message-ID: <4EF4D4B7.7020109@delphij.net> Date: Fri, 23 Dec 2011 11:21:27 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: John Baldwin References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112231058.46642.jhb@freebsd.org> In-Reply-To: <201112231058.46642.jhb@freebsd.org> X-Enigmail-Version: undefined Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, d@delphij.net, Colin Percival Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 19:21:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/23/11 07:58, John Baldwin wrote: > On Friday, December 23, 2011 10:00:38 am Colin Percival wrote: >> Author: cperciva Date: Fri Dec 23 15:00:37 2011 New Revision: >> 228843 URL: http://svn.freebsd.org/changeset/base/228843 >> >> Log: Fix a problem whereby a corrupt DNS record can cause named >> to crash. [11:06] >> >> Add an API for alerting internal libc routines to the presence >> of "unsafe" paths post-chroot, and use it in ftpd. [11:07] > > Eh, the whole libc_dlopen() thing looks like a gross hack (and who > came up with that weird symbol name for a public API????). Is it > really even needed given the other fix to have ftpd drop privilege > before execing a helper program? I guess the main reason I don't > like it is it doesn't do This is not sufficient if only privileges are dropped. The attacker can still get e.g. a shell or start an IRC bot if the application is not careful enough. The current form the patch is, is based on a lengthy discussion between secteam@ and re@ and we did thought about other alternatives, like using a wrapper around chroot(2) and contain everything in it, or check permissions on certain "important" files, etc. These would require changes to chroot(2) semantics which could break existing installations and the outcome could be quite silent which eventually results in this. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk701LcACgkQOfuToMruuMAoqACgiDXP636IAhXnEpa54UBQa9SW 2ncAnRulYPS4+BtqizIP2BEiu4bhmJss =C2U1 -----END PGP SIGNATURE-----