From owner-freebsd-hackers Sun Feb 23 06:54:47 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA13809 for hackers-outgoing; Sun, 23 Feb 1997 06:54:47 -0800 (PST) Received: from bofh.cybercity.dk (bofh.cybercity.dk [195.8.128.254]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA13777; Sun, 23 Feb 1997 06:54:41 -0800 (PST) Received: from critter.dk.tfs.com (phk.cybercity.dk [195.8.133.247]) by bofh.cybercity.dk (8.8.3/8.7.3) with ESMTP id PAA06885; Sun, 23 Feb 1997 15:56:54 +0100 (MET) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.2/8.8.2) with ESMTP id PAA02532; Sun, 23 Feb 1997 15:57:23 +0100 (MET) To: Julian Assange cc: eivind@dimaga.com (Eivind Eklund), hackers@freebsd.org, security@freebsd.org Subject: Re: o [1997/02/01] bin/2634 rtld patches for easy creation of chroot enviroments In-reply-to: Your message of "Mon, 24 Feb 1997 01:16:47 +1100." <199702231416.BAA10178@profane.iq.org> Date: Sun, 23 Feb 1997 15:57:22 +0100 Message-ID: <2530.856709842@critter.dk.tfs.com> From: Poul-Henning Kamp Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199702231416.BAA10178@profane.iq.org>, Julian Assange writes: >> Not quite. If we allow users to do this to setuid binaries, they can make >> setuid programs read dangerous config files, and exploit the new behaviour. >> A really simple example would be to create a fake /etc with a new >> master.passwd and run su. Sure, you have su only in the chroot()ed >> environment, but you could easily create a new suid binary... >> >> There is a reason chroot() is restricted to root, and I think we'd better >> keep that. If the patch was changed to restrict use to non-suid only (ie, >> root only), I'd be much more comfortable with it. > >It is restricted to non-suid, just the same as LD_PRELOAD is. There >is an "unsafe" field in the scan_tab for all enviromental variables >used by ld.so. It's set to on for LD_CHROOT. You may want to have >a look at this before presuming I'm a complete fool ;) Listen, this patch is maybe or maybe not correct, but it certainly is pointless. For anything as little used as chroot to clobber the one of the most timecritical piece of code in userland is simply not an option, in particular where there isn't any better argumentation that "it would be neat of one could..." Can this discussion please be taken offline now ? -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail.