Date: Wed, 23 Dec 1998 04:23:51 -0600 From: Zach Heilig <zach@gaffaneys.com> To: Harold Gutch <logix@foobar.franken.de>, Zach Heilig <zach@gaffaneys.com>, Garance A Drosihn <drosih@rpi.edu>, Marco Molteni <molter@tin.it> Cc: freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) Message-ID: <19981223042351.A41978@znh.org> In-Reply-To: <19981223060810.A5560@foobar.franken.de>; from Harold Gutch on Wed, Dec 23, 1998 at 06:08:10AM %2B0100 References: <62537.913989002@zippy.cdrom.com> <Pine.BSF.3.96.981218193124.339A-100000@nympha> <v04011701b2a129cee810@[128.113.24.47]> <19981221174222.A1588@foobar.franken.de> <19981222092831.A31250@znh.org> <19981223060810.A5560@foobar.franken.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 23, 1998 at 06:08:10AM +0100, Harold Gutch wrote: > > A non-priviledged user does not buy anything, if there is any worry that this > > "bob" wants perform malicious acts as root. > Of course it does, basically you're saying "a suid bit gives you > root rights, no matter who owns the file". Ok, pretend for a moment that in this jail, a vulnerability is found in $JAIL/usr/bin/crontab It is identical to the normal /usr/bin/crontab, but instead of being owned by root, it is owned by pseudo-root. No matter what happens, root will not be obtained from attacking $JAIL/usr/bin/crontab. But, if you apply the same attack that works against the jail version of 'crontab' to /usr/bin/crontab (same as the jail version, except for owner), root priviledges will be obtained. Even if "bob" only has one account that goes straight into this jail, as long as there are other user accounts on the machine, it wouldn't be very hard to get non-jail access. In my experience, it is very easy to obtain a username/password pair... just ask the user that "owns" them -- about half will answer the question without much, if any, 'resistance'. I've even had people volunteer this sort of information. -- Zach Heilig (zach@gaffaneys.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981223042351.A41978>