Date: Mon, 14 Apr 2003 01:44:00 +0200 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: Mark Shepard <mns@BEST.COM> Cc: freebsd-security@freebsd.org Subject: Re: chroot() as non-root user? Message-ID: <20030413234400.GD52293@garage.freebsd.pl> In-Reply-To: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> References: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sun, Apr 13, 2003 at 10:20:35AM -0500, Mark Shepard wrote: +> Q3: Why not allow non-root users to chroot() _as long as the target dir. +> is on a partition mounted nosuid_? Seems like this would be a simple +> mechanism (both to understand and to implement) and would allow regular +> users to take advantage of chroot to improve the security of scripts, CGIs, +> etc. You can do this with CerbNG (avaliable at http://cerber.sourceforge.net). Policy could looks like this: #define NONSUID_PATH "/path/to/nonsuid/dir/*" if (syscall == SYS_chroot && ruid > 0 && ismember(GET_GID("chroot"), groups)) { reg[1] = realpath(arg[0]); if (reg[1] !@ NONSUID_PATH) { return(EPERM); } /* chdir first to that directory */ setsyscall(SYS_chdir); reg[0] = call(); if (reg[0] != 0) { return(reg[0]); } setsyscall(SYS_chroot); /* give uid 0 for this syscall */ reg[0] = sucall(); if (reg[0] != 0) { return(reg[0]); } log(LOG_INFO, "CerbNG:%s: %s(%s[%s]) (with euid 0).", pname, syscallname, arg[0], reg[1]); return(0); } From now on members of group ,,chroot'' are able to use chroot(2) syscall without uid 0 if they want to chroot to some directory in NONSUID_PATH. -- Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPpn2QD/PhmMH/Mf1AQHnIgP/cEzIXdeV/2kNCfG5mI4BKnKCGuj4iBY+ seKppte59rH5ExMKP1Z7QgCQqEkWPYgn1KRyalpX2U8QP+S3MXVXG0xbXe7E+YbQ eaIslM+0MIUEo8Abo5uYHvdEi7Aa0EC/PPLPp4YN/508kLWkNL49pT/fNb+oV+nc 9kwdZMvYlY4= =SEd+ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030413234400.GD52293>