Re: DNS, SUID, Chroot

["Marcus J. Ranum" <mjr () nfr net>]

> 1. (Need to do as EUID ROOT) Open socket, bind to port, and do
> 2. (Need to do as ROOT on some systems)
>   do CHROOT to the jail area.
> 3. SUID(harmless_user) (Need to do as ROOT)

This is a good recipe, as long as you also stipulate that the jail
contains no device files that would allow memory access, and no
setuid files.

It turns out there are 2 ways to get out of a chroot (if you're
root):
        -> you can use fchroot( ) -- a little advertised system call.

        -> you can repeatedly chroot to ".."
                on some systems (pseudocode, not compilable):
                while(1) {
                        stat(".",&sbuf);

                        /* we are out! -- ".." is same as "." == "/" */
                        if(sbuf.st_ino == last_inode)
                                        break;

                        last_inode = sbuf.st_ino;
                        chroot("..");
                }

        The latter is a bug which (may) be fixed on some UNIXes
but the bottom line is that merely chrooting is not enough; you
MUST get rid of privileges and be able to argue that there is no
way within the jail to get privilege.

        This brings me to fun traps -- it's nice to add things in
the vfs_syscalls.c routine for chroot to check and see if
the process' root directory is not the system root (e.g.: it
has already done a chroot) and then you core the process
if it tries to do another chroot.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr