tech-security: Re: chroot jail for ftpd

Subject: Re: chroot jail for ftpd
To: None <tls@rek.tjls.com>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-security
Date: 10/18/2001 16:02:48
In message <20011018184537.B602@rek.tjls.com>Thor Lancelot Simon writes
>On Thu, Oct 18, 2001 at 03:41:57PM -0700, Jonathan Stone wrote:

Hi Thor,

We seem do disagree on the root cause of your problem and how to fix
it.  Security is hard enough to get right, so Please let me know where
(if anywhere) I'm going wrong.

>I have two separate concerns:
>
>1) Code from shared libraries can be mapped PROT_EXEC, and thus directly
>   executed, though the files do not actually have execute permission.

Aside from cache-coherency issues this is acutally very hard to fix.
The memory-protecthion hardware in many modern CPUs doesnt distinguish
data-fetch protection on pages from I-fetch protection on pages.
(The last machine I recall using which did was a Pyramid 90x).

Aside from forcing cache-coherency on machines with split I/D caches,
there really isn't any difference on many of the machines we run on:
if you map a page readable, then the CPU can fetch from it, either
D-fetch cycles or I-fetch.


>2) We don't even *check* to see if files have execute permission before
> executing code that came from them via mmap -- for example, shared
> libraries.  

And here we need to check noexec, not for x bits.  If I can write a
trojan .so file into a writable filesystem, I can set teh x bit on
that trojan .so file, too.


>The sum total of these bugs is the security hole I'm complaining about:

Scuse me, but it isn't, quite.  (Not unless by "execute permission",
you include checks for noexec and shared libraries: if so, we're just
arguing terminology.)  

Suppose both "bugs" are fixed. If you give me a writable filesystem, I
can populate it with a .so file, chmod +x that .so file, and set
LD_LIBRARY_PATH or LD_PRELOAD so that my new, trojan .so file gets
loaded and executed.  That breaks out of your sandbox in exactly the
fashion you complained about, irrespective of the two bugs you list.
I think Jason's patch stops that, but it's not quite what you
originally asked for.

OTOH, if Jason's patch goes in, do LD_LIBRARY_PATH and LD_PRELOAD
still make a loophole in your bastion-host sandboxes?