Date: Sat, 24 Dec 2011 12:46:10 -0800 From: Xin LI <delphij@gmail.com> To: =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= <trasz@freebsd.org> Cc: src-committers@freebsd.org, Andrey Chernov <ache@freebsd.org>, John Baldwin <jhb@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org, Colin Percival <cperciva@freebsd.org>, Kostik Belousov <kostikbel@gmail.com>, Alexander Kabaev <kabaev@gmail.com> Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... Message-ID: <CAGMYy3u3ixg0rh16JFwL00a%2BH-qGb60LTR2tLgCrRXfAhMrvFA@mail.gmail.com> In-Reply-To: <8E5EE6FA-7BA1-4590-843A-F5C3C0493E5B@FreeBSD.org> References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112231058.46642.jhb@freebsd.org> <201112231122.34436.jhb@freebsd.org> <20111223120644.75fe944d@kan.dyndns.org> <20111223175143.GJ50300@deviant.kiev.zoral.com.ua> <20111224100509.GA98136@vniz.net> <CAGMYy3s4YM-j165o9p%2BEDgMf0%2BaJq7gKj5yR=LK8_yfECnbtog@mail.gmail.com> <20111224103948.GA10939@vniz.net> <CAGMYy3vUMUi0ajADs2AdVRPfWQShmjfXDHfrKTFBmHGiNTWPFA@mail.gmail.com> <20111224105045.GA11127@vniz.net> <8E5EE6FA-7BA1-4590-843A-F5C3C0493E5B@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
2011/12/24 Edward Tomasz Napierała <trasz@freebsd.org>: > Wiadomość napisana przez Andrey Chernov w dniu 24 gru 2011, o godz. 11:50: >> On Sat, Dec 24, 2011 at 02:45:21AM -0800, Xin LI wrote: >>> On Sat, Dec 24, 2011 at 2:39 AM, Andrey Chernov <ache@freebsd.org> wrote: >>>> On Sat, Dec 24, 2011 at 02:26:20AM -0800, Xin LI wrote: >>>>> chroot(2) can create legitimate and secure environment where dlopen(2) >>>>> is safe and necessary. >>>> >>>> Yes, so ischroot() check can be used only into that places where libc's >>>> libc_dlopen() currently used, i.e. placed into libc_dlopen() itself. >>> >>> So it's Okay to break NSS in chroot jail? >> >> We need general solution. We simple can't count all possible and future >> ftpd's arround the world and insert __FreeBSD_libc_enter_restricted_mode() >> into them. I even not mention other programs that may use chroot() too. If >> some component like auth is critical for chroot, it should be restricted >> in general scope. > > How about adding a check in dlopen(3) to make sure the file being opened > is owned either by us (getuid(3)) or root and is not writable by anyone else? Won't work because the binary might be run by privileged but chroot user. Again, this is the first proposal that we have considered. Cheers, -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGMYy3u3ixg0rh16JFwL00a%2BH-qGb60LTR2tLgCrRXfAhMrvFA>