tech-security: Re: chroot jail for ftpd

Subject: Re: chroot jail for ftpd
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Alfred Perlstein <bright@mu.org>
List: tech-security
Date: 10/18/2001 17:15:33

* Jonathan Stone <jonathan@DSG.Stanford.EDU> [011018 17:12] wrote:
> 
> >Right, I know that one ... attached is a patch which should fix it.
> 
> thanks. You the man.
> 
> I was acutlally wondering about hacking ld.{elf_}so  -- or wherever
> LD_PRELOAD and LD_LIBRARY_PATH are acutally implemented; <dlfcn.h>? --
> to check each element of a path and check for crossing over mountpoints
> which are mounted noexec, and skipping those search-paths altogether.
> 
> Not to close the security loophole -- we agree on the right place for
> that -- but to give cleaner semantics to anyone fishing for loopholes.

This could be done trivially at the time of open(2) using fstatfs(2).

-- 
-Alfred Perlstein [alfred@freebsd.org]
'Instead of asking why a piece of software is using "1970s technology,"
 start asking why software is ignoring 30 years of accumulated wisdom.'
                           http://www.morons.org/rants/gpl-harmful.php3