Date: Sun, 23 Feb 1997 19:10:20 +1100 (EST) From: Julian Assange <proff@iq.org> To: peter@spinner.DIALix.COM (Peter Wemm) Cc: hackers@freebsd.org, security@freebsd.org Subject: Re: o [1997/02/01] bin/2634 rtld patches for easy creation of chroot enviroments Message-ID: <199702230810.TAA10018@profane.iq.org> In-Reply-To: <199702210853.QAA15189@spinner.DIALix.COM> from Peter Wemm at "Feb 21, 97 04:53:33 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> What's to stop a user from setting LD_CHROOT to a "hostile" invironment, > running a setuid program (which ignores LD_CHROOT), which happens to set > it's uid's to the new id, and that process exec's some binary with uid == > euid now, so that new binary now takes note of LD_CHROOT and is now > vulnerable to the "hostile" chroot environment... Same argument applies to all the LD_* variables. This technique was used to undermine the sync:: account under sunos with login -p etc > Also, wouldn't this be better in crt0.c so it'd be usable for statically > linked binaries? crt0.c should be as minimal as possible (since it is linked with all code) , and the crt0.c solution requires relinking of all binaries (which may not be possible). Further, statics don't have as much need for this type of thing. > Hmm.. another thing.. Once the chroot has happened, nothing removes the > LD_CHROOT variable from the environment.. Any sub processes will also try > to chroot within the chroot space.. This chould be a bit noisy.. :-] You shouldn't be running sub-processes in the chroot space that are dynamically linked, because they won't be able to get at the shlibs or ld.so. None-the-less it is probably worthwhile zorching LD_CHROOT when chroot() is called. -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702230810.TAA10018>