From owner-freebsd-security  Fri Dec 18 05:50:30 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA10110
          for freebsd-security-outgoing; Fri, 18 Dec 1998 05:50:30 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA10105
          for <freebsd-security@FreeBSD.ORG>; Fri, 18 Dec 1998 05:50:29 -0800 (PST)
          (envelope-from jkh@zippy.cdrom.com)
Received: from zippy.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1])
	by zippy.cdrom.com (8.9.1/8.9.1) with ESMTP id FAA62541;
	Fri, 18 Dec 1998 05:50:03 -0800 (PST)
To: "Marco Molteni" <molter@tin.it>
cc: Guido Stepken <stepken@fss.firmen-info.de>, freebsd-security@FreeBSD.ORG
Subject: Re: A better explanation (was: buffer overflows and chroot) 
In-reply-to: Your message of "Fri, 18 Dec 1998 13:56:33 +0100."
             <Pine.BSF.3.96.981218131426.311A-100000@nympha> 
Date: Fri, 18 Dec 1998 05:50:02 -0800
Message-ID: <62537.913989002@zippy.cdrom.com>
From: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> In my situation I have a *legitimate* user, call him Bob, who actively
> searches such buffer overflows. He does it for research, and he isn't
> unserious as you state, I assure you.

If he's searching for truely interesting exploits and he needs root
priviledge for this, then he must not be very serious about this. :-)

It seems a truly dedicated attacker would want to show how things
could be exploited *as an ordinary user* in making the case for a
serious defense against buffer overflow and other similar types of
exploits.  Doing it as root is a little like proving you can "break"
into a house when you have a full set of keys to all the doors. :-)

> So my idea/question is: if I build a chroot jail for Bob, fitted with all
> he needs (eg /bin, /usr/bin, /usr/local/bin, /usr/libexec, etc) and I
> replace all the suid root binaries with suid root2 binaries, where root2
> is a normal user, he can do his experiments, but he can't get root.

No chroot jail is really safe in the hands of someone with root
access; he can always use raw device access to get at things outside
the jail (or even destroy them inadvertantly during exploit testing).

If someone wants to be root on a box, make him get his own to destroy.
This is nothing that any computer facilities support department would
generally allow, I can say that much, and if I asked for root access
as "Bob" in just about any situation I can think of, the owners of the
box in question would laugh wildly for about 5 minutes and then tell
me to go jump myself.  If I want that kind of access, I have to assume
that it's going to have to be my own box.

- Jordan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message