[1525] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Buffer Overflows: A Summary

daemon@ATHENA.MIT.EDU (Myles Uyema)
Sun May 4 04:11:48 1997

Date: Sat, 3 May 1997 19:05:39 -0400 (EDT)
From: Myles Uyema <myles@puck.nether.net>
To: linux-security@redhat.com
In-Reply-To: <19970503032849.16886.qmail@buffalo.pharos.com.au>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

[mod: deletia]
>  + but the sysadmin has mounted the partition containing the jail
>    with the nodev option
> 
>  - but the attacker can create and mount a loopback filesystem inside
>    the jail allowing devices to be created

Go back to nodev.  Mounting a loopback filesystem requires /dev/loop*
of type Block, major 7, minor 0 through ??.

[mod: Also noted by John Goerzen]

[mod: But from reading the source I think you don't need a /dev entry
to remount the partition without the nodev. Moreover you could MAKE
the /dev entry and use that if it were necessary. But that is not the
issue. The issue is that a chrooted environment is not protected against
a root-user inside the chrooted environment. Try 
    int i, mypid =getpid ();
    for (i=2;i<32768;i++)
	if (i != mypid) kill (i, 9);
Ok. This doesn't get him out of the chrooted environment, but you can
see that having root in a chrooted environment is almost as powerful
as non-chrooted.  A chrooted environment should be so minimal that the
chances of your users becoming root in there are minimal. -- REW]


Myles Uyema
myles@puck.nether.net


home help back first fref pref prev next nref lref last post