Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation]

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

Pekka Savola wrote:
> This is my view on how chroot should be done (note: I haven't bothered 
> to add a cmd-line argument, if you think that should be added, it's 
> trivial), and the trivial setuid patch as well.

I don't think it's necessary, but it might be handy. See below.

> This doesn't try to automatically create directories or whatever, but 
> relies on the compile time option (e.g. /var/empty) but is IMHO better 
> in some sense.

> -               if (initgroups(pw->pw_name, 0) != 0 || setgid(pw->pw_gid) != 0 ||
> +               if (chroot_dir) {
> +                       if (chroot(chroot_dir) != 0 || chdir (".") != 0) {

No, you have to chdir to "/". Or better, do (chdir(chroot_dir) != 0 || 
chroot(".") != 0). On some platforms, chroot() doesn't do an implicit chdir(), 
so the way you've done things you won't end up chrooted -- your cwd will still 
be where you started.

That's why Andrew went to the trouble of looking at Wietse Venema's chrootuid 
code as a point of reference for this, so we don't get into trouble.

There's one issue that occurred to me with chroot: on some 
platforms/configurations there may be a need for access to certain files outside 
the jail. If any get*byname() calls are being used, there may be a need for 
access to /etc/resolv.conf, /etc/protocols, etc. On IRIX, it's worse since all 
the get*by*() calls end up relying on access to /ns. So if -n isn't in force, 
chrooting might break some lookups. So that also argues for a commandline 
argument at least to switch it off.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe