kern/121073: Patch to run chroot as an unprivileged user
Ed Schouten
ed at fxq.nl
Mon Feb 25 15:30:03 UTC 2008
The following reply was made to PR kern/121073; it has been noted by GNATS.
From: Ed Schouten <ed at fxq.nl>
To: bug-followup at FreeBSD.org, jille at quis.cx
Cc:
Subject: Re: kern/121073: Patch to run chroot as an unprivileged user
Date: Mon, 25 Feb 2008 16:21:46 +0100
--P+33d92oIH25kiaB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
Just wanted to add some info about what this patch does:
As far as I know, the only unsafe thing about chroot(2) is the fact that
you can trick set[ug]id applications to do unwanted things when
hardlinked into a new root directory, for example:
- The user could store a different C library inside the chroot to
perform an execl("/bin/sh", ...).
- The user could just store his own passwd files, including database
files, to make applications like su(8) work, without the proper
privileges.
This patch adds a new flag called P_NOSUGID. When enabled, this process
will not honor the setuid and setgid flags anymore, just like MNT_NOSUID
and P_TRACED.
I have great confidence that this patch does not add any security holes,
but just to be sure, this patch adds a sysctl to disable this behaviour
by default.
--=20
Ed Schouten <ed at fxq.nl>
WWW: http://g-rave.nl/
--P+33d92oIH25kiaB
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)
iEYEARECAAYFAkfC3QoACgkQ52SDGA2eCwUDeQCfSYgrLLapQGsNZOfAZXU7jNqR
7c0AnREYpYIa4OojqVR7GoO8mT9MRrsi
=Jir3
-----END PGP SIGNATURE-----
--P+33d92oIH25kiaB--
More information about the freebsd-bugs
mailing list