From owner-freebsd-security Wed Jun 13 14:23: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 0AE7937B407 for ; Wed, 13 Jun 2001 14:22:46 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 13476 invoked by uid 666); 13 Jun 2001 21:22:43 -0000 Date: Thu, 14 Jun 2001 00:19:47 +0300 From: Alex Popa To: Kris Kennaway Cc: security@freebsd.org Subject: Re: Compiling untrusted source -- what are the risks? Message-ID: <20010614001947.A13403@ldc.ro> References: <20010613092402.A8413@ldc.ro> <20010613130313.B64020@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010613130313.B64020@xor.obsecurity.org>; from kris@obsecurity.org on Wed, Jun 13, 2001 at 01:03:13PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 13, 2001 at 01:03:13PM -0700, Kris Kennaway wrote: > On Wed, Jun 13, 2001 at 09:24:02AM +0300, Alex Popa wrote: > > > The step I am worried about is the compiling, since I do need to have > > the include files and libraries available. > > [irrelevant part snipped] > > You could do this step in a jail if you wanted to. If you're using > user-supplied makefiles, then they can run arbitrary commands. If > you're using a fixed set of compiler invocations and the standard > toolchain then it should probably be okay (I don't know of any ways to > cause the compiler toolchain to execute arbitrary commands during > compilation). > > Kris I will probably go with something like (filename will be my own, not the user supplied filename): "gcc -Wall -W -Werror -pipe -static filename.c -o a.out" for the compiling step. The toolchain is exactly what I was worried about, and I really do not feel like providing a fresh jail for every compile. The running of the programs will go in a new jail and UID for every run, to prevent pollution. I also consider disabling SYSV semaphores and shared memory for that particular machine. Thank you a lot, Alex (who did paranoia++ a few too many times) ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message