Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: chroot useful?

From: Darren Reed <darrenr () cyber com au>
Date: Sun, 16 Nov 1997 19:12:17 +1100 (EST)
In some mail I received from Anton J Aylward, sie wrote


At 01:55 PM 14/11/97 +1100, Darren Reed wrote:


No.  If it can write to /dev/kmem (especially), then all it needs to do
is call the mknod(2) system call, create the right device for /dev/kmem,
open it, search for the right place in memory to change and voila! No
more chroot'd environment.  Most of the buffer exploits for programs
could be converted to do that or make it possible.


suppose I don't have a /dev/kmem - see LINUX


Hmmm ?  This doesn't exactly mean a lot.


suppose I don't have a /dev in my chroot()'d environment


You create it.  mkdir(2)


suppose I have a /dev/kmem in my chroot'd environment which is 
        actually /dev/null


unlink("/dev/null");
mknod("/dev/kmem", 0667, 0xkmem_device);

Sure, you can prevent that with cetain file flags, but whether or not
/dev/kmem or ~ftp/pub/kmem, makes no difference.

One of the older NFS exploits was to create a /dev/kmem file from an
otherwise untrusted network host that just happened to have root privs
on the NFS volume.  Once that file was created, say it was ~anton/kmem
and was mode 666, it is exactly the same as /dev/kmem being 666.


Why oh why would you set up a chroot'd environment with
the ability to break out of it, by supplying things like a compiler,
syscall library..... 


Who said anything about syscall libraries when you can do it in machine
code anyway ?


There is also a very simple kernel tweek you can make.


Yup.


If the per process root inode is not the same as the system
inode (i.e. the process is running chroot()'d) then disallow
various system calls.   I can claim originality for this....


You mean "can't"...

[...mjr's email deleted...]

So, how many firewalls out there implemented with any of the common
operating systems (be they free or commercial) actually do this ?

Yes, you can do these things.  You can do a lot more too.  But, as
Marcus says, you have to know what to modify and how to modify it.
Once you've got that knowledge, it's relatively trivial to hack it
and make it work.  Hacks are good short term solutions, designing
a system that works, is functional and extensible is a tad more
difficult but much more worthwhile.  Yes, I am working on something
to address this and other related issues without being too complacent
it or naive about what the result will be.

Darren
Previous By Date Next
Previous By Thread Next

Current thread: