Subject: Re: i386 + aperture + 1.6Q
To: Perry E. Metzger <email@example.com>
From: Pavel Cahyna <firstname.lastname@example.org>
Date: 03/28/2003 21:38:25
> Pavel Cahyna <email@example.com> writes:
> > > > Consider a daemon which runs in a chroot jail. The files and directories
> > > > in the jail are made immutable. Say that the daemon is exploited and the
> > > > attacker gains root privileges. How will he program the DMA controller
> > > > of the video card if there is no /dev/xf86 in the chroot jail? But if
> > > > you compile the kernel with option INSECURE, he will be able to inset
> > > > the immutable flag on directories and make any device node he wants.
> > >
> > > He can't touch any directory he wants, because he's in a chroot jail. :)
> > He can make new device nodes if he wants, no?
> Not unless you're root. Most NetBSD daemons (ntp, named, postfix,
Of course - see above.
> etc.) do not execute as root when chrooted.
> If the attacker does get root, and has the ability to execute
> arbitrary code (like mknod(2)), you're pretty much lost. I can come up
> with all sorts of evil things you can do even at high secure level.
Please continue :-)
I believe the idea of securelevel is to disallow many things for
exploiters even if they get root privileges.