From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 16:43:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4AEB37B401 for ; Sun, 13 Apr 2003 16:43:24 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D0BA43F85 for ; Sun, 13 Apr 2003 16:43:22 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 7DD793ABB4D; Mon, 14 Apr 2003 01:44:00 +0200 (CEST) Date: Mon, 14 Apr 2003 01:44:00 +0200 From: Pawel Jakub Dawidek To: Mark Shepard Message-ID: <20030413234400.GD52293@garage.freebsd.pl> References: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IDYEmSnFhs3mNXr+" Content-Disposition: inline In-Reply-To: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org Subject: Re: chroot() as non-root user? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 23:43:25 -0000 --IDYEmSnFhs3mNXr+ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 13, 2003 at 10:20:35AM -0500, Mark Shepard wrote: +> Q3: Why not allow non-root users to chroot() _as long as the target dir= .=20 +> is on a partition mounted nosuid_? Seems like this would be a simple=20 +> mechanism (both to understand and to implement) and would allow regular= =20 +> users to take advantage of chroot to improve the security of scripts, CG= Is,=20 +> etc. You can do this with CerbNG (avaliable at http://cerber.sourceforge.net). Policy could looks like this: #define NONSUID_PATH "/path/to/nonsuid/dir/*" if (syscall =3D=3D SYS_chroot && ruid > 0 && ismember(GET_GID("chroot"), gr= oups)) { reg[1] =3D realpath(arg[0]); if (reg[1] !@ NONSUID_PATH) { return(EPERM); } /* chdir first to that directory */ setsyscall(SYS_chdir); reg[0] =3D call(); if (reg[0] !=3D 0) { return(reg[0]); } setsyscall(SYS_chroot); /* give uid 0 for this syscall */ reg[0] =3D sucall(); if (reg[0] !=3D 0) { return(reg[0]); } log(LOG_INFO, "CerbNG:%s: %s(%s[%s]) (with euid 0).", pname, syscallname, arg[0], reg[1]); return(0); } =46rom now on members of group ,,chroot'' are able to use chroot(2) syscall without uid 0 if they want to chroot to some directory in NONSUID_PATH. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --IDYEmSnFhs3mNXr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPpn2QD/PhmMH/Mf1AQHnIgP/cEzIXdeV/2kNCfG5mI4BKnKCGuj4iBY+ seKppte59rH5ExMKP1Z7QgCQqEkWPYgn1KRyalpX2U8QP+S3MXVXG0xbXe7E+YbQ eaIslM+0MIUEo8Abo5uYHvdEi7Aa0EC/PPLPp4YN/508kLWkNL49pT/fNb+oV+nc 9kwdZMvYlY4= =SEd+ -----END PGP SIGNATURE----- --IDYEmSnFhs3mNXr+--