tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: fexecve



On Sun, Sep 08, 2019 at 09:53:50PM +0000, Taylor R Campbell wrote:
 > > What can we do about that?
 > 
 > It sounds like you're positing:
 > 
 > - there is a chrooted process A
 > - there is a colluding process B outside the chroot
 > - they share a socket
 > - B can open setuid executables and send their fds over the socket
 > - A can now execute setuid executables outside the chroot
 > 
 > How is this substantively different from the following?
 > 
 > - there is a chrooted process A
 > - there is a colluding process B outside the chroot
 > - they share a socket
 > - A can ask B to execute files by pathname and B will happily oblige
 > - A can now execute setuid executables outside the chroot
 > 
 > That is, under what meaningful circumstances can you rule out the
 > first scenario but not the second one?

The difference in the second scenario is that A can now execute setuid
executables from outside the chroot *in* the chroot, where paths the
executables implicitly or explicitly trust are resolved differently.

So for example it becomes pretty trivial to escalate to root inside
the chroot, and then with such collusion if the whole thing isn't
mounted nosuid it's also trivial to escalate to root outside.

-- 
David A. Holland
dholland%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index