Subject: Re: chroot jail for ftpd
To: None <tech-kern@netbsd.org, tech-security@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 10/18/2001 18:45:37
On Thu, Oct 18, 2001 at 03:41:57PM -0700, Jonathan Stone wrote:
> 
> >Yes, highly verbotten.  There is another way to accomplish this.  I'll
> >take a look, but I would suggest making THAT check dependent on a sysctl
> >variable that defaults to "off".
> 
> I already suggested the sysctl.  Problem is, this check doesnt
> acutally close the loophole Thor is worried about, unless you also
> (at a minimum) prohibit anyone from setting x bits on files on a
> filesystem mounted writable-but-noexec.

I have two separate concerns:

1) Code from shared libraries can be mapped PROT_EXEC, and thus directly
   executed, though the files do not actually have execute permission.

2) We don't even *check* to see if files have execute permission before
   executing code that came from them via mmap -- for example, shared
   libraries.

The sum total of these bugs is the security hole I'm complaining about:
shared libraries can be used to subvert a carefully-constructed secure
system where there are no writable filesystems on which any file will be
treated by the kernel as if it has execute permission.  I still think
they are both bugs independently.

-- 
Thor Lancelot Simon	                                      tls@rek.tjls.com
    And now he couldn't remember when this passion had flown, leaving him so
  foolish and bewildered and astray: can any man?
						   William Styron