[Reviews requested] kern/121073: chroot for non-root users
Kostik Belousov
kostikbel at gmail.com
Sat Aug 16 12:31:58 UTC 2008
On Sat, Aug 16, 2008 at 01:18:24PM +0200, Ed Schouten wrote:
> Hello everyone,
>
> When I visited FOSDEM back in February, I was talking with Jille
> Timmermans about the chroot() call. After discussing that the problem
> with chroot() is that it cannot be safely be executed by non-root users
> w.r.t. setuid binaries*, we wrote this patchset for the kernel to add
> something similar to `MNT_NOSUID' to the process flags. The result
> being:
>
> http://bugs.FreeBSD.org/121073
>
> The patch even adds a small security improvement to the system. Say,
> you'd change the typical chroot() + setuid() order the other way around,
> you're guaranteed the chrooted process will never change users
> afterwards, because it won't honour set[ug]id binaries anymore.
>
> Our security officer was wise enough to add the following to the PR:
>
> +----------------------------------------------------------+
> |UNDER NO CONDITIONS SHOULD THIS PATCH BE COMMITTED WITHOUT|
> |EXPLICIT APPROVAL FROM THE FREEBSD SECURITY OFFICER. |
> +----------------------------------------------------------+
>
> After having a discussion with Colin on IRC, there are a couple of
> questions we would like to be answered (or discussed) before getting
> this in the tree:
>
> - Are there any comments on the patch itself?
>
> - Colin was concerned if turned on, would it be possible for the user to
> do things which it normally couldn't and shouldn't?
>
> It would be great to get many reviews on this before we'd land it in the
> source tree. I've attached the patch to this email as well. Thanks!
>
> --
> Ed Schouten <ed at 80386.nl>
> WWW: http://80386.nl/
>
> * Hardlink a setuid binary to a directory containing a fake C library
> and executing it.
I think that the patch gives instant root. FreeBSD provides a rfork(2)
system call. This call allows the processes to share filedesc table, that,
among other information, contains the root of the filesystem namespace
for the process.
So, the scenario is to rfork() a process without RFFDG flag, and then
for one of the resulting processes to perform a chroot. Now, second one
has chrooted root, but no P_NOSUGID flag set.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20080816/ac13fe00/attachment.pgp
More information about the freebsd-arch
mailing list