From owner-freebsd-security Sun Jul 12 02:35:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA04234 for freebsd-security-outgoing; Sun, 12 Jul 1998 02:35:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.133.1] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA04221 for ; Sun, 12 Jul 1998 02:34:59 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id LAA00358; Sun, 12 Jul 1998 11:32:27 +0200 (CEST) To: Adam Shostack cc: angelos@dsl.cis.upenn.edu, security@FreeBSD.ORG Subject: Re: chroot() In-reply-to: Your message of "Sun, 12 Jul 1998 03:35:07 EDT." <199807120735.DAA06281@homeport.org> Date: Sun, 12 Jul 1998 11:32:27 +0200 Message-ID: <356.900235947@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Poul-Henning Kamp wrote: >| In message <199807110241.WAA21195@adk.gr>, "Angelos D. Keromytis" writes: >| >| >Keep in mind that it's trivial to escape from a root shell if you have >| >root (or can do certain things). chroot() is unfortunately far from >| >perfect. >| >| A FreeBSD user has paid me to strengthen the chroot() concept, and the code >| will go into FreeBSD when he has had time to get his money back through >| the use of it. > >Can you talk about what strengthening you've done? You give them an IP# and their own root password, they can't fuck you over except for resource contention (filling disks, hogging cpu &c). -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message