Subject: Re: i386 + aperture + 1.6Q
To: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
From: Perry E. Metzger <perry@piermont.com>
List: current-users
Date: 03/28/2003 15:34:06
Pavel Cahyna <pcah8322@artax.karlin.mff.cuni.cz> writes:
> > > Consider a daemon which runs in a chroot jail. The files and directories 
> > > in the jail are made immutable. Say that the daemon is exploited and the
> > > attacker gains root privileges. How will he program the DMA controller
> > > of the video card if there is no /dev/xf86 in the chroot jail? But if
> > > you compile the kernel with option INSECURE, he will be able to inset
> > > the immutable flag on directories and make any device node he wants.
> > 
> > He can't touch any directory he wants, because he's in a chroot jail. :)
> 
> He can make new device nodes if he wants, no?

Not unless you're root. Most NetBSD daemons (ntp, named, postfix,
etc.) do not execute as root when chrooted.

If the attacker does get root, and has the ability to execute
arbitrary code (like mknod(2)), you're pretty much lost. I can come up
with all sorts of evil things you can do even at high secure level.

-- 
Perry E. Metzger		perry@piermont.com