From owner-freebsd-security Fri Dec 18 05:19:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA07330 for freebsd-security-outgoing; Fri, 18 Dec 1998 05:19:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fep04-svc.tin.it (mta04-acc.tin.it [212.216.176.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA07301 for ; Fri, 18 Dec 1998 05:19:46 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.21.125]) by fep04-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19981218131932.DHGV23050.fep04-svc@nympha.ecomotor.it> for ; Fri, 18 Dec 1998 14:19:32 +0100 Received: (qmail 370 invoked by uid 1000); 18 Dec 1998 12:56:33 -0000 From: "Marco Molteni" Date: Fri, 18 Dec 1998 13:56:33 +0100 (CET) X-Sender: molter@nympha To: Guido Stepken cc: freebsd-security@FreeBSD.ORG Subject: A better explanation (was: buffer overflows and chroot) In-Reply-To: <002501be2a64$5a4dd8e0$9125b43e@beatix.intra.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Dec 1998, Guido Stepken wrote: > This program is absolute nonsense. buffer overflows can be everywhere in > a handshake of specific protocols (mail from: ...rcpt to: , smtp) and > are found in many gets puts routines in the library and every bloody > program, which makes use of such libs. Some programs are written without > static arrays, which could be overflowed (8-) wietses new mail program), > but with dynamic memory adressing. Those programs can not be overflowed > by any trick, but it can result in heavy swapping and finally in a DoS > attack. Kick him off ! This guy is unserious as well as your professor > !!!!!! Guido, maybe I didn't explained well the situation, so I'll retry, ok? I know what a buffer overflow is. I know that some buffer overflows can be exploited to execute another program (eg a shell), and that, if the program exploited is suid, you get a shell with the effective uid of the owner of the file, as is obvious. --> Automatic or not automatic (I don't mind how much automation there's in all this affair) <--, there are many ways to find and try to exploit a buffer overflow, right? Ok. In my situation I have a *legitimate* user, call him Bob, who actively searches such buffer overflows. He does it for research, and he isn't unserious as you state, I assure you. Anyway, I don't like the idea of anybody other than me being root on my machines. So my idea/question is: if I build a chroot jail for Bob, fitted with all he needs (eg /bin, /usr/bin, /usr/local/bin, /usr/libexec, etc) and I replace all the suid root binaries with suid root2 binaries, where root2 is a normal user, he can do his experiments, but he can't get root. Is my idea safe/right/doable? Marco --- "Hi, I have a Compaq machine running Windows 95. How do I install FreeBSD?" "I'm sorry, this is device driver testing: brain implants are two doors down on the right". (Bill Paul, on the freebsd-net mailing list) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message