Subject: Re: chroot jail for ftpd
To: None <tech-kern@netbsd.org, tech-security@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 10/18/2001 18:45:37
On Thu, Oct 18, 2001 at 03:41:57PM -0700, Jonathan Stone wrote:
>
> >Yes, highly verbotten. There is another way to accomplish this. I'll
> >take a look, but I would suggest making THAT check dependent on a sysctl
> >variable that defaults to "off".
>
> I already suggested the sysctl. Problem is, this check doesnt
> acutally close the loophole Thor is worried about, unless you also
> (at a minimum) prohibit anyone from setting x bits on files on a
> filesystem mounted writable-but-noexec.
I have two separate concerns:
1) Code from shared libraries can be mapped PROT_EXEC, and thus directly
executed, though the files do not actually have execute permission.
2) We don't even *check* to see if files have execute permission before
executing code that came from them via mmap -- for example, shared
libraries.
The sum total of these bugs is the security hole I'm complaining about:
shared libraries can be used to subvert a carefully-constructed secure
system where there are no writable filesystems on which any file will be
treated by the kernel as if it has execute permission. I still think
they are both bugs independently.
--
Thor Lancelot Simon tls@rek.tjls.com
And now he couldn't remember when this passion had flown, leaving him so
foolish and bewildered and astray: can any man?
William Styron