svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...

[Andrey Chernov]

On Thu, Dec 29, 2011 at 12:15:31PM -0800, Xin Li wrote:
> > Instead of total disabling we can (by calling rtld function)
> > restrict dlopen() in ftpd() to absolute path of know safe
> > directories list like "/etc" "/lib" "/usr/lib" etc.
> 
> This just came back to the origin!!  These "safe" locations are never
> necessarily be safe inside a chroot environment and the issue was
> exactly loading a library underneath /lib/.
> 
> I just realized that someone have removed some details from my
> advisory draft by the way.  To clarify: the chroot issue is not about
> the usual usage of chroot, but the fact that many chroot setups are
> not safe (e.g. "recommended" practice is to create a user writable
> directory under the chroot root with everything else read-only).

Unsecure (non-root /lib) may happens by admin mistake which is very 
different situation from loading .so from the current (say /incoming/) 
directory. We can't provide babysitting for every admin by our code, but 
can by our documentation only (probably by repeating the same thing in 
ftpd docs and chroot docs). And many admins don't needs babysitting and 
may take it as unnecessary restriction.

-- 
http://ache.vniz.net/