[1525] in linux-security and linux-alert archive
[linux-security] Re: Re: Buffer Overflows: A Summary
daemon@ATHENA.MIT.EDU (Myles Uyema)
Sun May 4 04:11:48 1997
Date: Sat, 3 May 1997 19:05:39 -0400 (EDT)
From: Myles Uyema <myles@puck.nether.net>
To: linux-security@redhat.com
In-Reply-To: <19970503032849.16886.qmail@buffalo.pharos.com.au>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
[mod: deletia]
> + but the sysadmin has mounted the partition containing the jail
> with the nodev option
>
> - but the attacker can create and mount a loopback filesystem inside
> the jail allowing devices to be created
Go back to nodev. Mounting a loopback filesystem requires /dev/loop*
of type Block, major 7, minor 0 through ??.
[mod: Also noted by John Goerzen]
[mod: But from reading the source I think you don't need a /dev entry
to remount the partition without the nodev. Moreover you could MAKE
the /dev entry and use that if it were necessary. But that is not the
issue. The issue is that a chrooted environment is not protected against
a root-user inside the chrooted environment. Try
int i, mypid =getpid ();
for (i=2;i<32768;i++)
if (i != mypid) kill (i, 9);
Ok. This doesn't get him out of the chrooted environment, but you can
see that having root in a chrooted environment is almost as powerful
as non-chrooted. A chrooted environment should be so minimal that the
chances of your users becoming root in there are minimal. -- REW]
Myles Uyema
myles@puck.nether.net