Subject: Re: chroot jail for ftpd
To: Alfred Perlstein <firstname.lastname@example.org>
From: Thor Lancelot Simon <email@example.com>
Date: 10/18/2001 18:42:41
On Thu, Oct 18, 2001 at 04:35:04PM -0500, Alfred Perlstein wrote:
> * gabriel rosenkoetter <firstname.lastname@example.org> [011018 16:22] wrote:
> > On Thu, Oct 18, 2001 at 04:47:30PM -0400, Thor Lancelot Simon wrote:
> > > Yeah, let's do a special-purpose hack instead of actually enforcing the
> > > consistent rule that executable code has to come from an executable file.
> > >
> > > Gack.
> > Hrm. Well, when you put it that way...
> > But we have the unfortunate problem that enforcing this rule
> > consistently is something that we have been *not* doing for a very
> > long time. It's also something that other Unix-like operating
> > systems have been not doing for a very long time. (And probably
> > won't start doing any time soon.)
> > Doing it right sounds great. But maybe with, a little leniency about
> > the immediacy of the change?
> Sorry for jumping here but I fail to see the point of blocking
> access to shared libraries based on noexec filesystems or
> files without the execute bit set. Nothing is stopping some
> whacko from opening the file and using it as a shared object
> by read(2)'ing into a data area to jump into.
Uh, how, exactly, do you get the code that does that copy executed? If
there's no writable filesystem that you can exec from, you can't run
arbitrary code, much less arbitrary dangerous code.
Except that we have this idiotic special treatment of shared libraries:
we pretend they're data, not code. So, LD_PRELOAD, LD_LIBRARY_PATH, or
chroot() can be used to get new code executed even on a system carefully
constructed so that that should not be possible.
Thor Lancelot Simon email@example.com
And now he couldn't remember when this passion had flown, leaving him so
foolish and bewildered and astray: can any man?