Date: Tue, 15 Dec 1998 10:21:04 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Joe Abley <jabley@clear.co.nz> Cc: Mark Murray <mark@grondar.za>, Kevin Day <toasty@home.dragondata.com>, freebsd-current@FreeBSD.ORG, jabley@clear.co.nz Subject: Re: modification to exec in the kernel? Message-ID: <199812151821.KAA56685@apollo.backplane.com> References: <19981215120357.B11837@clear.co.nz> <199812142331.RAA17203@home.dragondata.com> <19981215124818.A22526@clear.co.nz> <199812150644.IAA67338@greenpeace.grondar.za> <199812150917.BAA52694@apollo.backplane.com> <19981216053701.B27078@clear.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
:> I think a chroot'd environment can be even *more* dangerous then a
:> non-chroot'd environment because critical system configuration files
:> will be missing and potentially creatable by the user - if the
:> chroot'd environment is based in a user-owned directory and you've
:> installed any suid or sgid system binaries, you have an extremely
:> serious security hole on your hands.
:
:It wasn't our intention to have _any_ setuid/setgid binaries available in
:the chrooted environment - and the /, /usr, /var, /etc directories would not
:be user-owned, but rather hardlinks to private copies of the appropriate
:directories owned by some non-user uid.
:
:So how is this more dangerous than a non-chrooted environment? Surely it
:is _as_ safe - but with the added control that the user sees an appropriate
:subset of the entire filesystem that is controlled, regardless of what the
:system as a whole needs to have installed in order to function?
:
:
:Joe
I don't see the point. Let me put it this way: If you give
the user a non-chrooted environment but do not give the user access
to any suid/sgid programs, how is this different from giving the user
a chroot'd environment without access to any suid/sgid programs? The
only difference that I can think of is access to /tmp. I don't see how
the chroot'd environment is any safer then the non-chroot'd environment.
In the chroot'd environment the user still has access to the network,
all system calls, and can still create and run binaries. Going through
my memory and considering the known root exploits found in the last year,
this user would still be able to run most of them. Once the user breaks
root, the user can trivially break out of the chroot.
-Matt
Matthew Dillon Engineering, HiWay Technologies, Inc. & BEST Internet
Communications & God knows what else.
<dillon@backplane.com> (Please include original email in any response)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812151821.KAA56685>