Date: Sun, 23 Feb 1997 14:49:03 +0100 From: Eivind Eklund <eivind@dimaga.com> To: Julian Assange <proff@iq.org> Cc: peter@spinner.DIALix.COM (Peter Wemm), hackers@freebsd.org, security@freebsd.org Subject: Re: o [1997/02/01] bin/2634 rtld patches for easy creation of chroot enviroments Message-ID: <3.0.32.19970223144902.00c19100@dimaga.com>
next in thread | raw e-mail | index | archive | help
At 07:10 PM 2/23/97 +1100, Julian Assange wrote: >> What's to stop a user from setting LD_CHROOT to a "hostile" invironment, >> running a setuid program (which ignores LD_CHROOT), which happens to set >> it's uid's to the new id, and that process exec's some binary with uid == >> euid now, so that new binary now takes note of LD_CHROOT and is now >> vulnerable to the "hostile" chroot environment... > >Same argument applies to all the LD_* variables. This technique was used >to undermine the sync:: account under sunos with login -p etc Not quite. If we allow users to do this to setuid binaries, they can make setuid programs read dangerous config files, and exploit the new behaviour. A really simple example would be to create a fake /etc with a new master.passwd and run su. Sure, you have su only in the chroot()ed environment, but you could easily create a new suid binary... There is a reason chroot() is restricted to root, and I think we'd better keep that. If the patch was changed to restrict use to non-suid only (ie, root only), I'd be much more comfortable with it. Eivind Eklund perhaps@yes.no http://maybe.yes.no/perhaps/ eivind@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970223144902.00c19100>