From owner-freebsd-security@FreeBSD.ORG Thu Jul 19 20:57:27 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 507E816A402 for ; Thu, 19 Jul 2007 20:57:27 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mx.npubs.com (mail.wsfamily.com [209.66.100.224]) by mx1.freebsd.org (Postfix) with ESMTP id 3DD6013C491 for ; Thu, 19 Jul 2007 20:57:27 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mx.npubs.com (avhost [209.66.100.194]) by mx.npubs.com (Postfix) with ESMTP id 6A01ED4C17; Thu, 19 Jul 2007 20:34:29 +0000 (UTC) Received: from northstar-srv2 (unknown [172.27.2.11]) by mx.npubs.com (Postfix) with ESMTP id C44AAD4C09; Thu, 19 Jul 2007 20:34:28 +0000 (UTC) From: Stef Walter User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: Pieter de Boer References: <20070717032204.09BA8D4F8E@mx.npubs.com> <469FA0D1.7000304@thedarkside.nl> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20070719203428.C44AAD4C09@mx.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Thu, 19 Jul 2007 20:34:29 +0000 (UTC) X-Mailman-Approved-At: Thu, 19 Jul 2007 21:07:33 +0000 Cc: freebsd-security@freebsd.org Subject: Re: kern.chroot_allow_open_directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: stef@memberwebs.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 20:57:27 -0000 Pieter de Boer wrote: >> Is this sysctl meant to prevent breaking out of a chroot? Or am I >> missing the point of 'kern.chroot_allow_open_directories'? >> > If the sysctl was set to 0 at the moment chroot() was called, then the > chroot() would have failed if the calling process had open directories > (that's what the sysctl is meant to do, if I'm understanding the source > right). If directories weren't open, the chroot() would work, but the > process would obviously not be able to open directories outside the > chroot after that, even if you'd set the sysctl to 1. > > As I see it, there's no problem here, but could be wrong; chroot() is > tricky afaik.. Yes, it sure is. However if a root process inside the chroot jail reset that sysctl, after which it seems it could perform the usual break out thingy: http://www.bpfh.net/simes/computing/chroot-break.html I guess what I was wondering, is if FreeBSD is in fact immune to this attack, and whether it makes sense to chroot superuser processes on FreeBSD. Cheers, Stef