From owner-freebsd-security  Fri Dec 18 11:11:45 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA15586
          for freebsd-security-outgoing; Fri, 18 Dec 1998 11:11:45 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fep02-svc.tin.it (mta02-acc.tin.it [212.216.176.33])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA15518
          for <freebsd-security@FreeBSD.ORG>; Fri, 18 Dec 1998 11:11:20 -0800 (PST)
          (envelope-from molter@tin.it)
Received: from nympha.ecomotor.it ([212.216.1.185]) by fep02-svc.tin.it
          (InterMail v4.0 201-221-105) with SMTP
          id <19981218191043.FRRJ15144.fep02-svc@nympha.ecomotor.it>
          for <freebsd-security@FreeBSD.ORG>;
          Fri, 18 Dec 1998 20:10:43 +0100
Received: (qmail 387 invoked by uid 1000); 18 Dec 1998 19:08:32 -0000
From: "Marco Molteni" <molter@tin.it>
Date: Fri, 18 Dec 1998 20:08:32 +0100 (CET)
X-Sender: molter@nympha
To: Michael Richards <026809r@acadiau.ca>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: A better explanation (was: buffer overflows and chroot)
In-Reply-To: <Pine.GSO.4.05.9812181316260.13811-100000@dragon>
Message-ID: <Pine.BSF.3.96.981218200224.339C-100000@nympha>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 18 Dec 1998, Michael Richards wrote:

> > So my idea/question is: if I build a chroot jail for Bob, fitted with
> > all he needs (eg /bin, /usr/bin, /usr/local/bin, /usr/libexec, etc)
> > and I replace all the suid root binaries with suid root2 binaries,
> > where root2 is a normal user, he can do his experiments, but he can't
> > get root.
>
> If the point here is academic research into an automatic buffer overflow
> program,

exactly. If I could, I'd give him a box to crash, but I can't.

> just give him 2 accounts and let him fiddle with exploiting from one
> userlevel to the other via a suid program.
  ^^^^^^^^^

I think you mean "from one uid to the other". I agree, and this is what I
first thought. But my idea of the jail comes from the fact that I can't
disable him to try overflows on other suid executables, eg suid root ones.

Marco


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message