From owner-freebsd-security  Sat Nov  2 01:38:29 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA25912
          for security-outgoing; Sat, 2 Nov 1996 01:38:29 -0800 (PST)
Received: from critter.tfs.com ([140.145.230.177])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA25896;
          Sat, 2 Nov 1996 01:38:22 -0800 (PST)
Received: from critter.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id KAA04443; Sat, 2 Nov 1996 10:38:16 +0100 (MET)
To: Marc Slemko <marcs@znep.com>
cc: Don Lewis <Don.Lewis@tsc.tdk.com>, Dev Chanchani <dev@trifecta.com>,
        freebsd-security@freebsd.org
Subject: Re: chroot() security 
In-reply-to: Your message of "Fri, 01 Nov 1996 23:38:23 MST."
             <Pine.BSF.3.95.961101225850.22655K-100000@alive.ampr.ab.ca> 
Date: Sat, 02 Nov 1996 10:38:15 +0100
Message-ID: <4441.846927495@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <Pine.BSF.3.95.961101225850.22655K-100000@alive.ampr.ab.ca>, Marc Sl
emko writes:
>On Fri, 1 Nov 1996, Don Lewis wrote:
>
>> You can add various checks to the kernel to keep chroot()ed processes
>> from doing a lot of these things, but there is one deadly exploit that
>> someone posted to this list back in September.  By the clever use of
>> chroot() and chdir(), it is possible for a root process to waltz out
>> of a chroot()ed environment.  I don't know of a clean way of plugging
>> that hole.
>> 
>> BTW, thanks for mentioning ptrace().  I hadn't thought of that one.
>
>Yup, you certainly can add checks and in theory you should be able to plug
>all the holes IF you can find them.  My bet is that you won't be able to
>find them, so you can't make it secure.

One simple way is to disallow processes that have any *uid == 0 in the
chroot tree.   I did this once by comparing the rootfs pointer to that
of pid == 1 and if it was different and one of the uid's were zero
I killed the process.

The few operations that needed to do root things, sent a message over
a tcp pipe to a local process that would examine what process was at the
other end of the pipe and do the stuff to it if it made sense.  That
daemon ran outside the chroot env.

Sorry, can't give you the code, somebody paid me to do it.

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.