Re: apt-get and The_User
On Sun, Dec 03, 2000 at 01:03:54AM +0100, Remco Blaakmeer <remco-blaakmeer@quicknet.nl> was heard to say:
> > > Would you care please to be a bit more specific please?What kind of
> > > library would that be and why setting up a true chroot environment for
> > > user with it's own dpkg would be such a bad idea(I can see some problems
> > > with syncing the 2 dpkg databases and deciding what's for user and
> > > what's for system)?
>
> > I'd think that it was a bad idea because the user could run `chroot
> > bash` and they have a root shell...also, the user could read root's mail
> > or do other evil stuff: deleting more files than a normal user can;
> > editing logs (if you don't use chattr); `apt-get -y --purge remove
> > libc6`...or even `apt-get install {local,remote}_root_exploit` or
> > something of that nature...)
>
> <snip from chroot(8)>
> NAME
> chroot - run command or interactive shell with special
> root directory
> </snip>
>
> In what way would chroot elevate privileges for a non-root user?
I'm not sure, but I think that there may be an issue with, eg:
(a) ln /bin/some-'safe'-suid-program my-evil-chroot/bin
(b) cp my-hacked-libc my-evil-chroot/lib
(c) cp /bin/bash my-evil-chroot/bin
(d) chroot my-evil-chroot some-'safe'-suid-program
(e) the hacked libc causes some-'safe'-suid-program to make
my-evil-chroot/bin/bash suid root
(f) my-evil-chroot/bin/bash my-evil-rootkit
(I don't really know what the issue is, but this would seem like a logical
concern to me)
Daniel
--
/----------------- Daniel Burrows <Daniel_Burrows@brown.edu> -----------------\
| DROP THE SCYTHE AND TURN AROUND SLOWLY. |
| -- Terry Pratchett, "Reaper Man" |
\----------------- The Turtle Moves! -- http://www.lspace.org ----------------/
Reply to: