Date: Sun, 3 Nov 1996 19:18:36 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: newton@communica.com.au (Mark Newton), Don.Lewis@tsc.tdk.com (Don Lewis) Cc: marcs@znep.com, dev@trifecta.com, freebsd-security@FreeBSD.org Subject: Re: chroot() security Message-ID: <199611040318.TAA10265@salsa.gv.ssi1.com> In-Reply-To: newton@communica.com.au (Mark Newton) "Re: chroot() security" (Nov 3, 4:36am)
next in thread | raw e-mail | index | archive | help
On Nov 3, 4:36am, Mark Newton wrote: } Subject: Re: chroot() security } Don Lewis wrote: } } > BTW, thanks for mentioning ptrace(). I hadn't thought of that one. } } There's a far more obvious one: The same data structures and library } routines which provide "ps" with its ability to find the process table in } kvm space can permit an attacker with root privileges in a chroot()'ed } environment to find the process table for the purpose of changing his } root directory right back to what it used to be by reading and writing } /dev/kmem. You're correct, that one is more obvious. Writes to /dev/kmem can be used for other evil things as well. The obvious fixes are to do one or more of the following: Don't put /dev/kmem within reach of the chroot()ed process. Turn on securelevel, which I believe prohibits writes to /dev/kmem, even by root. --- Truck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611040318.TAA10265>