Re: apt-get and The_User

To: debian-devel@lists.debian.org
Subject: Re: apt-get and The_User
From: Ethan Benson <erbenson@alaska.net>
Date: Sun, 3 Dec 2000 00:26:25 -0900
Message-id: <[🔎] 20001203002625.L22155@plato.local.lan>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87ofytx592.fsf@becket.becket.net>; from tb@becket.net on Sun, Dec 03, 2000 at 12:45:29AM -0800
References: <[🔎] 20001202174648.A8616@216.254.117.126> <[🔎] Pine.LNX.3.96.1001203000238.10084B-100000@qn-195-66-31-144.quicknet.nl> <[🔎] 20001202203928.A667@torrent> <[🔎] 20001202173311.H22155@plato.local.lan> <[🔎] 87k89ivwlm.fsf@becket.becket.net> <[🔎] 20001202231527.I22155@plato.local.lan> <[🔎] 87ofytx592.fsf@becket.becket.net>

On Sun, Dec 03, 2000 at 12:45:29AM -0800, Thomas Bushnell, BSG wrote:

> 
> I still don't understand your example; I found it very unclear, so I
> might be operating under a misunderstanding.

im going on memory and im not terribly familier with all the syscalls,
but the basic jist is doing an fchdir() to a directory under the
current chroot, so if you can chroot down one more level then fchdir
back up you have effectively broken the chroot().

i wish i could remember where i read about this....

say your chrooted to /chroot

you see in your chroot jail:

/foo/bar/ (both directories)

you  open a file descriptor on /foo

you then chroot to /foo/bar, now foo is no longer visable.

you fchdir() to foo, now your out of the chroot entirely.  

> > a completely seperate issue is whether its possible to make a setuid
> > root program to allow users to chroot safely.  i am only arguing that
> > changing the kernel to allow any user to use chroot() would end up
> > making chroot() useless for security purposes.  
> 
> I don't think this is true at all.  Suppose a good careful program
> chroots a user into a special environment.  It's a good, careful
> program: it leaves no extra file descriptors hanging around, and it
> has designed the chrooted playground carefully.  How can such a user
> escape from the environment if we let them chroot?

were talking about two different things, i am talking about allowing
any user to use the chroot() system call, so they could write any
program they want calling chroot() and have it work instead of getting
-EPERM back from the kernel.  your talking about (i think) rewriting
/usr/bin/chroot so it could be safely suid root doing all the
necessary checks to make sure the user is not playing any games with
file descriptors.  

besides that i think we are in agreement that deprivved chroot()
system call would be a failure anyway since there is the su trick you
posted earlier.  

even if we were to write a safe setuid root chroot program it would
still have to do a LOT of checking to ensure no games are being
played, such as fake chroot/etc/passwd and /bin/su hard links...

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpSQBcM_B7du.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: apt-get and The_User
  - From: tb@becket.net (Thomas Bushnell, BSG)

References:
- Re: apt-get and The_User
  - From: xsdg <xsdg@softhome.net>
- Re: apt-get and The_User
  - From: Remco Blaakmeer <remco-blaakmeer@quicknet.nl>
- Re: apt-get and The_User
  - From: Daniel Burrows <Daniel_Burrows@brown.edu>
- Re: apt-get and The_User
  - From: Ethan Benson <erbenson@alaska.net>
- Re: apt-get and The_User
  - From: tb@becket.net (Thomas Bushnell, BSG)
- Re: apt-get and The_User
  - From: Ethan Benson <erbenson@alaska.net>
- Re: apt-get and The_User
  - From: tb@becket.net (Thomas Bushnell, BSG)

Prev by Date: Re: apt-get and The_User
Next by Date: Re: apt-get and The_User
Previous by thread: Re: apt-get and The_User
Next by thread: Re: apt-get and The_User
Index(es):
- Date
- Thread