NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: syslogd(8) and chroot
On Tue, 24 Sep 2024 14:20:02 +0100
Sad Clouds <cryintothebluesky%gmail.com@localhost> wrote:
> Hi, does anyone know why NetBSD syslogd implicitly calls chroot, when it
> was not requested to do so via -t option?
>
> $ syslogd
> syslogd: Failed to chroot to `/': Operation not permitted
> syslogd: Fatal error, exiting
>
> This prevents syslogd from running as unprivileged user in chroot jail.
> Is there any security benefit of calling chroot on / directory?
>
> I know syslogd can give up root permissions, etc, but I'm playing
> around with chroot partitions to simulate zones/jails and trying to see
> how many daemons can be used as unprivileged user.
Well, I just patched syslogd and can now run it as unprivileged user.
I think the original code where it calls chroot("/") is probably a bug
or an oversight.
$ id
uid=50000(admin) gid=50000(admin) groups=50000(admin)
$ syslogd -u admin -g admin -s
$ ps aux | grep syslog
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
admin 19165 0.0 0.2 18496 1752 ? Is 7:20PM 0:00.01 syslogd -u admin -g admin -s
$ diff -u ./usr.sbin/syslogd/syslogd.c.orig ./usr.sbin/syslogd/syslogd.c
--- ./usr.sbin/syslogd/syslogd.c.orig 2024-09-24 19:55:21.464455835 +0100
+++ ./usr.sbin/syslogd/syslogd.c 2024-09-24 20:00:17.312543067 +0100
@@ -310,7 +310,7 @@
gid_t gid = 0;
char *user = NULL;
char *group = NULL;
- const char *root = "/";
+ const char *root = NULL;
char *endp;
struct group *gr;
struct passwd *pw;
@@ -478,7 +478,7 @@
}
}
- if (access(root, F_OK | R_OK)) {
+ if (root != NULL && access(root, F_OK | R_OK)) {
logerror("Cannot access `%s'", root);
die(0, 0, NULL);
}
@@ -563,10 +563,13 @@
/*
* All files are open, we can drop privileges and chroot
*/
- DPRINTF(D_MISC, "Attempt to chroot to `%s'\n", root);
- if (chroot(root) == -1) {
- logerror("Failed to chroot to `%s'", root);
- die(0, 0, NULL);
+ if (root != NULL)
+ {
+ DPRINTF(D_MISC, "Attempt to chroot to `%s'\n", root);
+ if (chroot(root) == -1) {
+ logerror("Failed to chroot to `%s'", root);
+ die(0, 0, NULL);
+ }
}
DPRINTF(D_MISC, "Attempt to set GID/EGID to `%d'\n", gid);
if (setgid(gid) || setegid(gid)) {
Home |
Main Index |
Thread Index |
Old Index