From owner-svn-src-all@FreeBSD.ORG Sat Dec 24 20:46:11 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68D141065670; Sat, 24 Dec 2011 20:46:11 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id C67608FC19; Sat, 24 Dec 2011 20:46:10 +0000 (UTC) Received: by obbwd18 with SMTP id wd18so8888556obb.13 for ; Sat, 24 Dec 2011 12:46:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=9shDv7RVHlW3U5Akgl1FXBqCweABM0kqkY/f1F8xC2o=; b=E+KZ7SYBUxJCK3GJHnLszIe5zFkQpJtZoW/gZBx95C7Y4ImyNQQaZq6xUgLm9CJGRL MyLB3x3BEDDCrQeS+aJP79WqTF+gf8sZWaSwAsukt38U8iByLp70hA9/af5qhSHrY0xf vReO2ZxSvBUkyqlv0+JLqhCNms1aC7UfR2/ss= MIME-Version: 1.0 Received: by 10.182.78.165 with SMTP id c5mr17298826obx.60.1324759570224; Sat, 24 Dec 2011 12:46:10 -0800 (PST) Received: by 10.182.67.163 with HTTP; Sat, 24 Dec 2011 12:46:10 -0800 (PST) In-Reply-To: <8E5EE6FA-7BA1-4590-843A-F5C3C0493E5B@FreeBSD.org> References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112231058.46642.jhb@freebsd.org> <201112231122.34436.jhb@freebsd.org> <20111223120644.75fe944d@kan.dyndns.org> <20111223175143.GJ50300@deviant.kiev.zoral.com.ua> <20111224100509.GA98136@vniz.net> <20111224103948.GA10939@vniz.net> <20111224105045.GA11127@vniz.net> <8E5EE6FA-7BA1-4590-843A-F5C3C0493E5B@FreeBSD.org> Date: Sat, 24 Dec 2011 12:46:10 -0800 Message-ID: From: Xin LI To: =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: src-committers@freebsd.org, Andrey Chernov , John Baldwin , svn-src-all@freebsd.org, svn-src-head@freebsd.org, Colin Percival , Kostik Belousov , Alexander Kabaev Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 20:46:11 -0000 2011/12/24 Edward Tomasz Napiera=C5=82a : > Wiadomo=C5=9B=C4=87 napisana przez Andrey Chernov w dniu 24 gru 2011, o g= odz. 11:50: >> On Sat, Dec 24, 2011 at 02:45:21AM -0800, Xin LI wrote: >>> On Sat, Dec 24, 2011 at 2:39 AM, Andrey Chernov wrot= e: >>>> On Sat, Dec 24, 2011 at 02:26:20AM -0800, Xin LI wrote: >>>>> chroot(2) can create legitimate and secure environment where dlopen(2= ) >>>>> is safe and necessary. >>>> >>>> Yes, so ischroot() check can be used only into that places where libc'= s >>>> libc_dlopen() currently used, i.e. placed into libc_dlopen() itself. >>> >>> So it's Okay to break NSS in chroot jail? >> >> We need general solution. We simple can't count all possible and future >> ftpd's arround the world and insert __FreeBSD_libc_enter_restricted_mode= () >> into them. I even not mention other programs that may use chroot() too. = If >> some component like auth is critical for chroot, it should be restricted >> in general scope. > > How about adding a check in dlopen(3) to make sure the file being opened > is owned either by us (getuid(3)) or root and is not writable by anyone e= lse? Won't work because the binary might be run by privileged but chroot user. Again, this is the first proposal that we have considered. Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die