Date: Mon, 25 Feb 2008 15:30:03 GMT From: Ed Schouten <ed@fxq.nl> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/121073: Patch to run chroot as an unprivileged user Message-ID: <200802251530.m1PFU3oR060218@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/121073; it has been noted by GNATS.
From: Ed Schouten <ed@fxq.nl>
To: bug-followup@FreeBSD.org, jille@quis.cx
Cc:
Subject: Re: kern/121073: Patch to run chroot as an unprivileged user
Date: Mon, 25 Feb 2008 16:21:46 +0100
--P+33d92oIH25kiaB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
Just wanted to add some info about what this patch does:
As far as I know, the only unsafe thing about chroot(2) is the fact that
you can trick set[ug]id applications to do unwanted things when
hardlinked into a new root directory, for example:
- The user could store a different C library inside the chroot to
perform an execl("/bin/sh", ...).
- The user could just store his own passwd files, including database
files, to make applications like su(8) work, without the proper
privileges.
This patch adds a new flag called P_NOSUGID. When enabled, this process
will not honor the setuid and setgid flags anymore, just like MNT_NOSUID
and P_TRACED.
I have great confidence that this patch does not add any security holes,
but just to be sure, this patch adds a sysctl to disable this behaviour
by default.
--=20
Ed Schouten <ed@fxq.nl>
WWW: http://g-rave.nl/
--P+33d92oIH25kiaB
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)
iEYEARECAAYFAkfC3QoACgkQ52SDGA2eCwUDeQCfSYgrLLapQGsNZOfAZXU7jNqR
7c0AnREYpYIa4OojqVR7GoO8mT9MRrsi
=Jir3
-----END PGP SIGNATURE-----
--P+33d92oIH25kiaB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200802251530.m1PFU3oR060218>