[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: breaking chroot with ptrace and shared memory-- is it really possible?



Chroot is handy to keep generally non-malicious bugs from
affecting things around the system.  No good security person
will claim that chroot is real protection.

This horse was beaten pretty dead on a couple firewalls lists
in 1995 or so.

Oh, and when I *do* run a service as a user, it's not "nobody".
People kept doing that in a large NFS environment, and I kept
showing that by coming is as root (or indeed many other users),
I could be "nobody" on their system and that "nobody" was way
too priveledged.

named runs as, er, "named".
ssh runs as "name^H^H^H^Hssh".

See, not much runs as "nobody".  And less and less runs
as root.

Quoting James Strandboge (jstrand1_(_at_)_rochester_(_dot_)_rr_(_dot_)_com):
> I was reading this post:
> http://www.deadly.org/commentShow.php3?sid=20030407135319&pid=366
> 
> and was wondering if what the guy was saying has an real merit. 
> Apparently it is someone from grsecurity, and I read most of the various
> threads.  The poster has quite an attitude, but got me wondering.  He
> mentions "on openbsd ... (remember, on i386 it's still only a non-exec
> stack) you can execute code in the shared memory."  The post is from
> April-- doesn't ProPolice affect this statement.
> 
> By 'breaking chroot' I don't necessarily mean the chroot system call,
> but rather 'breaking the security of the system when chroot is in
> place'.  Even though the guy has a 'holier than thou' attitude, he kept
> talking about how 'trivial' it was to break a chrooted daemon on
> openbsd, or even ssh (later in the thread).  
> 
> I checked misc and tech archives, but couldn't find anything.
> 
> The original post that started the above thread dealt with:
> http://www.grsecurity.net/compare.php
> 
> Jamie Strandboge