Subject: Re: Escaping a chroot jail
To: None <email@example.com>
From: Bernd Sieker <firstname.lastname@example.org>
Date: 07/14/2005 15:12:30
On 14.07.05, 08:42:04, Steven M. Bellovin wrote:
> Right. As I noted in my earlier post, chroot() isn't proof against
> As for the default security level of 1 -- for anyone who wants to run
> X, that's simply not possible. I understand why, of course, but it
> doesn't help with everything else.
But that's what we have the aperture lkm for. It allows exactly one
process to get r/w access to the memory space of the VGA board. AFAIK
almost all modern drivers work with this workaround. In all other
respects it still has all the features of a normal kernel running
at securelevel 1. No write access to devices of mounted disks, no
access to /dev/(k)mem, ...
boa:~> ps uax | grep X
root 12637 3.8 10.1 40016 52884 ?? Ss 28Jun05 1324:24.35 /usr/X11R6/bin/X vt05 -terminate -once
boa:~> sysctl kern.securelevel
kern.securelevel = 1
I'm running accelerated X on some ATI chipset, the name of which
I can't remember.
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Anagrams for NetBSD-core:
Be stern, Doc.
Net robs DEC
DEC robs Net
-- Julian Assange