From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 12:20:01 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B63E16A419 for ; Fri, 10 Aug 2007 12:20:01 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 09F5313C45E for ; Fri, 10 Aug 2007 12:20:00 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 67F1448803; Fri, 10 Aug 2007 14:02:20 +0200 (CEST) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id D8453487FA; Fri, 10 Aug 2007 14:02:08 +0200 (CEST) Date: Fri, 10 Aug 2007 14:01:22 +0200 From: Pawel Jakub Dawidek To: stef@memberwebs.com Message-ID: <20070810120122.GF12687@garage.freebsd.pl> References: <20070717032204.09BA8D4F8E@mx.npubs.com> <469FA0D1.7000304@thedarkside.nl> <20070719203428.C44AAD4C09@mx.npubs.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="p7qwJlK53pWzbayA" Content-Disposition: inline In-Reply-To: <20070719203428.C44AAD4C09@mx.npubs.com> User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org, Pieter de Boer Subject: Re: kern.chroot_allow_open_directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2007 12:20:01 -0000 --p7qwJlK53pWzbayA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 19, 2007 at 08:34:29PM +0000, Stef Walter wrote: > Pieter de Boer wrote: > >> Is this sysctl meant to prevent breaking out of a chroot? Or am I > >> missing the point of 'kern.chroot_allow_open_directories'? > >> > > If the sysctl was set to 0 at the moment chroot() was called, then the > > chroot() would have failed if the calling process had open directories > > (that's what the sysctl is meant to do, if I'm understanding the source > > right). If directories weren't open, the chroot() would work, but the > > process would obviously not be able to open directories outside the > > chroot after that, even if you'd set the sysctl to 1. > >=20 > > As I see it, there's no problem here, but could be wrong; chroot() is > > tricky afaik.. >=20 > Yes, it sure is. >=20 > However if a root process inside the chroot jail reset that sysctl, > after which it seems it could perform the usual break out thingy: >=20 > http://www.bpfh.net/simes/computing/chroot-break.html >=20 > I guess what I was wondering, is if FreeBSD is in fact immune to this > attack, and whether it makes sense to chroot superuser processes on FreeB= SD. Superuser running inside chroot(2) has many ways to escape. You bascially gain no additional security in chrooting a process that will continue to operate with privileges. You should either chroot and drop privileges or use jail(2). --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --p7qwJlK53pWzbayA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFGvFOSForvXbEpPzQRAl13AJ0fz3GK8itPktD0MXLBOmRjMv7d1ACg8toF oAiKbqMRJJsLQUcK7EP01rM= =BJNN -----END PGP SIGNATURE----- --p7qwJlK53pWzbayA--