svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...

[Xin Li]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/23/11 07:58, John Baldwin wrote:
> On Friday, December 23, 2011 10:00:38 am Colin Percival wrote:
>> Author: cperciva Date: Fri Dec 23 15:00:37 2011 New Revision:
>> 228843 URL: http://svn.freebsd.org/changeset/base/228843
>> 
>> Log: Fix a problem whereby a corrupt DNS record can cause named
>> to crash. [11:06]
>> 
>> Add an API for alerting internal libc routines to the presence
>> of "unsafe" paths post-chroot, and use it in ftpd. [11:07]
> 
> Eh, the whole libc_dlopen() thing looks like a gross hack (and who
> came up with that weird symbol name for a public API????).  Is it
> really even needed given the other fix to have ftpd drop privilege
> before execing a helper program?  I guess the main reason I don't
> like it is it doesn't do

This is not sufficient if only privileges are dropped.  The attacker
can still get e.g. a shell or start an IRC bot if the application is
not careful enough.

The current form the patch is, is based on a lengthy discussion
between secteam@ and re@ and we did thought about other alternatives,
like using a wrapper around chroot(2) and contain everything in it, or
check permissions on certain "important" files, etc.  These would
require changes to chroot(2) semantics which could break existing
installations and the outcome could be quite silent which eventually
results in this.

Cheers,
- -- 
Xin LI <delphij at delphij.net>	https://www.delphij.net/
FreeBSD - The Power to Serve!		Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk701LcACgkQOfuToMruuMAoqACgiDXP636IAhXnEpa54UBQa9SW
2ncAnRulYPS4+BtqizIP2BEiu4bhmJss
=C2U1
-----END PGP SIGNATURE-----