Date: Sat, 30 Sep 2000 17:38:31 -0400 From: "Brian F. Feldman" <green@FreeBSD.org> To: Mike Silbersack <silby@silby.com> Cc: "Brian F. Feldman" <green@FreeBSD.org>, security@FreeBSD.org Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <200009302138.e8ULcW544214@green.dyndns.org> In-Reply-To: Message from Mike Silbersack <silby@silby.com> of "Sat, 30 Sep 2000 16:22:46 CDT." <Pine.BSF.4.21.0009301619010.23864-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Silbersack <silby@silby.com> wrote: > > On Sat, 30 Sep 2000, Brian F. Feldman wrote: > > > That is, one can create their own jail (or just chroot(8)... I should > > probably get user-chrooting reviewed ;) which they would use for running > > potentially evil things -- like reading e-mail with pine. It's not too > > difficult, but it's really easier just to switch to a better MUA. > > user-chrooting would be excellent. Chrooting MUAs / web browsers / etc > would be a nice feature no matter how secure the program in question seems > to be. If you get it implemented, I'll be the first to use the > feature. :) > > Mike "Silby" Silbersack Cool :) I use it, for example, for fuzz; it works quite nicely for that. I think I have taken care of all the possible negative interactions and made it safe, so it does need a review, but I'm fairly sure that many people will want to be able to do chroot without being root. Here's what it entails: --- kern/kern_exec.c 2000/09/05 22:10:22 1.113 +++ kern/kern_exec.c 2000/09/15 11:41:14 @@ -280,7 +280,7 @@ if ((((attr.va_mode & VSUID) && p->p_ucred->cr_uid != attr.va_uid) || ((attr.va_mode & VSGID) && p->p_ucred->cr_gid != attr.va_gid)) && (imgp->vp->v_mount->mnt_flag & MNT_NOSUID) == 0 && - (p->p_flag & P_TRACED) == 0) { + (p->p_flag & (P_TRACED | P_UCHROOT)) == 0) { /* * Turn off syscall tracing for set-id programs, except for * root. --- kern/kern_fork.c 2000/09/05 22:10:22 1.80 +++ kern/kern_fork.c 2000/09/15 11:41:15 @@ -434,7 +434,7 @@ * Preserve some more flags in subprocess. P_PROFIL has already * been preserved. */ - p2->p_flag |= p1->p_flag & P_SUGID; + p2->p_flag |= p1->p_flag & (P_SUGID | P_UCHROOT); if (p1->p_session->s_ttyvp != NULL && p1->p_flag & P_CONTROLT) p2->p_flag |= P_CONTROLT; if (flags & RFPPWAIT) --- kern/vfs_syscalls.c 2000/09/05 02:13:14 1.165 +++ kern/vfs_syscalls.c 2000/09/15 11:41:18 @@ -906,6 +906,21 @@ &chroot_allow_open_directories, 0, ""); /* + * This sysctl determines if we will allow any process to chroot(), rather + * than only allowing the capability for "root" users. Once a user has + * performed the chroot(), there must be no way for it to gain elevated + * privileges, therefore P_UCHROOT is set and cannot be cleared in any + * way. P_UCHROOT is used by execve() in the same manner as P_TRACE: + * if the user has too much control over the process, it must not gain + * privileges. + */ + +static int chroot_allow_non_suser = 0; + +SYSCTL_INT(_kern, OID_AUTO, chroot_allow_non_suser, CTLFLAG_RW, + &chroot_allow_non_suser, 0, ""); + +/* * Change notion of root (``/'') directory. */ #ifndef _SYS_SYSPROTO_H_ @@ -922,12 +937,14 @@ } */ *uap; { register struct filedesc *fdp = p->p_fd; - int error; + int error, notsuser; struct nameidata nd; error = suser_xxx(0, p, PRISON_ROOT); - if (error) + if (error && !chroot_allow_non_suser) return (error); + notsuser = error; + error = 0; if (chroot_allow_open_directories == 0 || (chroot_allow_open_directories == 1 && fdp->fd_rdir != rootvnode)) error = chroot_refuse_vdir_fds(fdp); @@ -944,6 +961,8 @@ fdp->fd_jdir = nd.ni_vp; VREF(fdp->fd_jdir); } + if (notsuser) + p->p_flag |= P_UCHROOT; return (0); } --- sys/proc.h 2000/09/05 22:11:12 1.110 +++ sys/proc.h 2000/09/16 12:31:49 @@ -292,6 +292,7 @@ #define P_JAILED 0x1000000 /* Process is in jail */ #define P_OLDMASK 0x2000000 /* need to restore mask before pause */ #define P_ALTSTACK 0x4000000 /* have alternate signal stack */ +#define P_UCHROOT 0x8000000 /* process has performed a user-chroot */ #define P_CAN_SEE 1 #define P_CAN_KILL 2 -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009302138.e8ULcW544214>