Mailinglist Archive: opensuse-security (226 mails)
| < Previous | Next > |
Re: [suse-security] SuSEconfig and read-only proc in 9.2
- From: Philippe Vogel <filiaap@xxxxxxxxxx>
- Date: Mon, 25 Apr 2005 03:10:59 +0200
- Message-id: <426C43A3.4050607@xxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
>>>> Unmounting /var/spool/postfix/proc does apparently not affect
>>>> anything.
>>>>
>>>> Is there a deeper meaning in it in the end?
My question still is: Why does this affect /proc?
If I run postfix in chroot and I want to restart my firewall script it
tells /proc is ro and I can't set kernelparameters.
If I boot postfix is started after the firewall is initialized - this
means at boottime it will set options as I desire.
If I want to change things in runtime, e.g. after setup of a new box
with a new firewall rule for it, I get the error /proc is ro :)
Any conclusions?
By the way why is proc mounted ro and rw?
Second thing: If I got access to /proc chroot can be escaped and -
even it only ro - any malicious user can read files from /proc with
the process users rights.
This means for me chrooted postfix within SuSE isn't what it's
expected to be - any attacker can escape chroot maybe only ro but
he/she can.
This behavior I got with a self-crafted chroot apache with /proc
access as well.
Am I right or what did I forget about this?
Philippe
- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQD1AwUBQmxDo0Ng1DRVIGjBAQIdGwb8C160ddL50bS6gzuTRP/DH8AU8SuGI1+Z
6/41gRv7MXwxinFNUIY0Fou/aePyfwlfBmxdhCSjhziAqEusAobop1Xc13Kubd6J
NO2c+ANEaW65CyHRZ9Zhcx0zNET6DXKM2oezXwt6pe8rPeprATrNEaRDLeVklJel
xpS2f9TW9bF53HaiElFIMzEJdPO4XJTLuOdrucTJRLCYYqtU6f1JgkIttYuy3SjE
8Ht2NE+/jOtPBDdHpNrl56iHWJyjTh05L6JkMCw+EJH+ZoLuwi40fXvoIlmbKuUk
4fhwKwhCSI0=
=eAqC
-----END PGP SIGNATURE-----
Hash: SHA1
Hi!
>>>> Unmounting /var/spool/postfix/proc does apparently not affect
>>>> anything.
>>>>
>>>> Is there a deeper meaning in it in the end?
My question still is: Why does this affect /proc?
If I run postfix in chroot and I want to restart my firewall script it
tells /proc is ro and I can't set kernelparameters.
If I boot postfix is started after the firewall is initialized - this
means at boottime it will set options as I desire.
If I want to change things in runtime, e.g. after setup of a new box
with a new firewall rule for it, I get the error /proc is ro :)
Any conclusions?
By the way why is proc mounted ro and rw?
Second thing: If I got access to /proc chroot can be escaped and -
even it only ro - any malicious user can read files from /proc with
the process users rights.
This means for me chrooted postfix within SuSE isn't what it's
expected to be - any attacker can escape chroot maybe only ro but
he/she can.
This behavior I got with a self-crafted chroot apache with /proc
access as well.
Am I right or what did I forget about this?
Philippe
- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQD1AwUBQmxDo0Ng1DRVIGjBAQIdGwb8C160ddL50bS6gzuTRP/DH8AU8SuGI1+Z
6/41gRv7MXwxinFNUIY0Fou/aePyfwlfBmxdhCSjhziAqEusAobop1Xc13Kubd6J
NO2c+ANEaW65CyHRZ9Zhcx0zNET6DXKM2oezXwt6pe8rPeprATrNEaRDLeVklJel
xpS2f9TW9bF53HaiElFIMzEJdPO4XJTLuOdrucTJRLCYYqtU6f1JgkIttYuy3SjE
8Ht2NE+/jOtPBDdHpNrl56iHWJyjTh05L6JkMCw+EJH+ZoLuwi40fXvoIlmbKuUk
4fhwKwhCSI0=
=eAqC
-----END PGP SIGNATURE-----
| < Previous | Next > |