Re: fexecve

To: Taylor R Campbell <campbell+netbsd-tech-kern%mumble.net@localhost>
Subject: Re: fexecve
From: David Holland <dholland-tech%netbsd.org@localhost>
Date: Tue, 10 Sep 2019 16:27:47 +0000

On Sun, Sep 08, 2019 at 09:53:50PM +0000, Taylor R Campbell wrote:
 > > What can we do about that?
 > 
 > It sounds like you're positing:
 > 
 > - there is a chrooted process A
 > - there is a colluding process B outside the chroot
 > - they share a socket
 > - B can open setuid executables and send their fds over the socket
 > - A can now execute setuid executables outside the chroot
 > 
 > How is this substantively different from the following?
 > 
 > - there is a chrooted process A
 > - there is a colluding process B outside the chroot
 > - they share a socket
 > - A can ask B to execute files by pathname and B will happily oblige
 > - A can now execute setuid executables outside the chroot
 > 
 > That is, under what meaningful circumstances can you rule out the
 > first scenario but not the second one?

The difference in the second scenario is that A can now execute setuid
executables from outside the chroot *in* the chroot, where paths the
executables implicitly or explicitly trust are resolved differently.

So for example it becomes pretty trivial to escalate to root inside
the chroot, and then with such collusion if the whole thing isn't
mounted nosuid it's also trivial to escalate to root outside.

-- 
David A. Holland
dholland%netbsd.org@localhost

References:
- Re: fexecve
  - From: Thor Lancelot Simon
- Re: fexecve
  - From: Taylor R Campbell

Prev by Date: Re: more fexecve questions
Next by Date: Re: more fexecve questions
Previous by Thread: Re: fexecve
Next by Thread: Re: fexecve
Indexes:

Home | Main Index | Thread Index | Old Index