From owner-freebsd-arch@FreeBSD.ORG Sat Aug 16 12:31:58 2008 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64BAF1065676 for ; Sat, 16 Aug 2008 12:31:58 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.terabit.net.ua (mail.terabit.net.ua [195.137.202.147]) by mx1.freebsd.org (Postfix) with ESMTP id 065F58FC1E for ; Sat, 16 Aug 2008 12:31:58 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from skuns.zoral.com.ua ([91.193.166.194] helo=mail.zoral.com.ua) by mail.terabit.net.ua with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1KUKcO-000P2z-IS; Sat, 16 Aug 2008 15:10:52 +0300 Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id m7GCAncI065219 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 16 Aug 2008 15:10:49 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.2/8.14.2) with ESMTP id m7GCAnH5081161; Sat, 16 Aug 2008 15:10:49 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.2/8.14.2/Submit) id m7GCAnFe081159; Sat, 16 Aug 2008 15:10:49 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 16 Aug 2008 15:10:49 +0300 From: Kostik Belousov To: Ed Schouten Message-ID: <20080816121049.GU1803@deviant.kiev.zoral.com.ua> References: <20080816111824.GL99951@hoeg.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hLTC+yGFJlatjToQ" Content-Disposition: inline In-Reply-To: <20080816111824.GL99951@hoeg.nl> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: ClamAV version 0.93.3, clamav-milter version 0.93.3 on skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua X-Virus-Scanned: mail.terabit.net.ua 1KUKcO-000P2z-IS 5c1f80f1d427fdbd45411981ab8161c8 X-Terabit: YES Cc: Jille Timmermans , FreeBSD Arch Subject: Re: [Reviews requested] kern/121073: chroot for non-root users X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Aug 2008 12:31:58 -0000 --hLTC+yGFJlatjToQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Aug 16, 2008 at 01:18:24PM +0200, Ed Schouten wrote: > Hello everyone, >=20 > When I visited FOSDEM back in February, I was talking with Jille > Timmermans about the chroot() call. After discussing that the problem > with chroot() is that it cannot be safely be executed by non-root users > w.r.t. setuid binaries*, we wrote this patchset for the kernel to add > something similar to `MNT_NOSUID' to the process flags. The result > being: >=20 > http://bugs.FreeBSD.org/121073 >=20 > The patch even adds a small security improvement to the system. Say, > you'd change the typical chroot() + setuid() order the other way around, > you're guaranteed the chrooted process will never change users > afterwards, because it won't honour set[ug]id binaries anymore. >=20 > Our security officer was wise enough to add the following to the PR: >=20 > +----------------------------------------------------------+ > |UNDER NO CONDITIONS SHOULD THIS PATCH BE COMMITTED WITHOUT| > |EXPLICIT APPROVAL FROM THE FREEBSD SECURITY OFFICER. | > +----------------------------------------------------------+ >=20 > After having a discussion with Colin on IRC, there are a couple of > questions we would like to be answered (or discussed) before getting > this in the tree: >=20 > - Are there any comments on the patch itself? >=20 > - Colin was concerned if turned on, would it be possible for the user to > do things which it normally couldn't and shouldn't? >=20 > It would be great to get many reviews on this before we'd land it in the > source tree. I've attached the patch to this email as well. Thanks! >=20 > --=20 > Ed Schouten > WWW: http://80386.nl/ >=20 > * Hardlink a setuid binary to a directory containing a fake C library > and executing it. I think that the patch gives instant root. FreeBSD provides a rfork(2) system call. This call allows the processes to share filedesc table, that, among other information, contains the root of the filesystem namespace for the process. So, the scenario is to rfork() a process without RFFDG flag, and then for one of the resulting processes to perform a chroot. Now, second one has chrooted root, but no P_NOSUGID flag set. --hLTC+yGFJlatjToQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkimw8gACgkQC3+MBN1Mb4iFugCgkzmftWO/S+WwsmJU+4Omdd2X k3YAoOu98iMq4l7LfjQh05m6fGw09PRm =VlkQ -----END PGP SIGNATURE----- --hLTC+yGFJlatjToQ--