From owner-freebsd-security  Mon Dec 21 08:43:27 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA15865
          for freebsd-security-outgoing; Mon, 21 Dec 1998 08:43:27 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from foobar.franken.de (foobar.franken.de [194.94.249.81])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA15859
          for <freebsd-security@FreeBSD.ORG>; Mon, 21 Dec 1998 08:43:11 -0800 (PST)
          (envelope-from logix@foobar.franken.de)
Received: (from logix@localhost)
	by foobar.franken.de (8.8.8/8.8.5) id RAA01719;
	Mon, 21 Dec 1998 17:42:22 +0100 (CET)
Message-ID: <19981221174222.A1588@foobar.franken.de>
Date: Mon, 21 Dec 1998 17:42:22 +0100
From: Harold Gutch <logix@foobar.franken.de>
To: Garance A Drosihn <drosih@rpi.edu>, Marco Molteni <molter@tin.it>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: A better explanation (was: buffer overflows and chroot)
References: <62537.913989002@zippy.cdrom.com> <Pine.BSF.3.96.981218193124.339A-100000@nympha> <v04011701b2a129cee810@[128.113.24.47]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <v04011701b2a129cee810@[128.113.24.47]>; from Garance A Drosihn on Sat, Dec 19, 1998 at 05:22:57AM -0500
X-Organisation: BatmanSystemDistribution
X-Mission: To free the world from the Penguin
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, Dec 19, 1998 at 05:22:57AM -0500, Garance A Drosihn wrote:
> At 7:57 PM +0100 12/18/98, Marco Molteni wrote:
> >Scenario:
> >
> > 1.  Bob is a non privileged user.
> > 2.  Bob actively searches for buffer overflows in suid binaries.
> > 3.  if Bob is able to do his job, soon or later he'll get root.
> > 4.  I don't mind if Bob is a good guy or a bad guy, I don't want
> >     anybody to be root on my machines.
> > 5.  I want to put him in a chroot jail full of suid binaries, but
> >     suid not to root, to pseudoroot, where pseudoroot is a
> >     non privileged user.
> > 6.  Bob can do all his experiments in his nice jail.
> > 6.  if Bob becomes pseudoroot, I am still safe, since:
> > 6.1 he is in a chroot jail
> > 6.2 in the jail there isn't any executable suid to a privileged
> >     user (root, bin, whatever).
> > 6.3 from 6.2, he can't escape from the jail
> >
> > is 6.3 correct?
> 
> >From #2, Bob is running setuid binaries.  Presumably he's running a

Binaries suid to some _unprivileged_ user.
That's the whole point Marco is trying to make here.
"bob" will eventually manage to become some other user.

So, in case "bob" manages to exploit some buffer overflow or
whatever other bugs your suid binary has, he will only be able to
become another _unprivileged_ user.
Unless he can do further harm from this uid, you are safe.
He will not be able to break out of the chroot-jail unless himself
is root (at least I have no idea how you'd break out being a
normal unprivileged user).

-- 
bye, logix

<Shabby> Sleep is an abstinence syndrome wich occurs due to lack of caffein.
Wed Mar  4 04:53:33 CET 1998   #unix, ircnet

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message