From owner-freebsd-security  Wed Dec 23 02:27:28 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA25469
          for freebsd-security-outgoing; Wed, 23 Dec 1998 02:27:28 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from k6n1.znh.org (dialup9.gaffaneys.com [208.155.161.59])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA25446
          for <freebsd-security@FreeBSD.ORG>; Wed, 23 Dec 1998 02:27:11 -0800 (PST)
          (envelope-from zach@gaffaneys.com)
Received: (from zach@localhost)
	by k6n1.znh.org (8.9.1/8.9.1) id KAA42012;
	Wed, 23 Dec 1998 10:23:51 GMT
	(envelope-from zach)
Message-ID: <19981223042351.A41978@znh.org>
Date: Wed, 23 Dec 1998 04:23:51 -0600
From: Zach Heilig <zach@gaffaneys.com>
To: Harold Gutch <logix@foobar.franken.de>, Zach Heilig <zach@gaffaneys.com>,
        Garance A Drosihn <drosih@rpi.edu>, Marco Molteni <molter@tin.it>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: A better explanation (was: buffer overflows and chroot)
References: <62537.913989002@zippy.cdrom.com> <Pine.BSF.3.96.981218193124.339A-100000@nympha> <v04011701b2a129cee810@[128.113.24.47]> <19981221174222.A1588@foobar.franken.de> <19981222092831.A31250@znh.org> <19981223060810.A5560@foobar.franken.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <19981223060810.A5560@foobar.franken.de>; from Harold Gutch on Wed, Dec 23, 1998 at 06:08:10AM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Dec 23, 1998 at 06:08:10AM +0100, Harold Gutch wrote:
> > A non-priviledged user does not buy anything, if there is any worry that this
> > "bob" wants perform malicious acts as root.

> Of course it does, basically you're saying "a suid bit gives you
> root rights, no matter who owns the file".

Ok, pretend for a moment that in this jail, a vulnerability is found in

$JAIL/usr/bin/crontab

It is identical to the normal /usr/bin/crontab, but instead of being
owned by root, it is owned by pseudo-root.

No matter what happens, root will not be obtained from attacking
$JAIL/usr/bin/crontab.

But, if you apply the same attack that works against the jail version
of 'crontab' to /usr/bin/crontab (same as the jail version, except for
owner), root priviledges will be obtained.

Even if "bob" only has one account that goes straight into this jail,
as long as there are other user accounts on the machine, it wouldn't
be very hard to get non-jail access.  In my experience, it is very
easy to obtain a username/password pair... just ask the user that
"owns" them -- about half will answer the question without much, if
any, 'resistance'.  I've even had people volunteer this sort of
information.

-- 
Zach Heilig (zach@gaffaneys.com)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message