httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 23:19:28 GMT
> Robert S. Thau wrote:
> > 
> >  BTW, I've almost decided that chroot() doesn't help with security (because a
> >  Bad Guy can still make something setuid to the attacked uid which can then be
> >  exploited by another route).
> > 
> > Ummm... that's not the point.  Yes, once a suid-root binary exists, even
> > in the chrooted environment, you're hosed.  However, the user had to exploit
> > security holes in some program in order to bring it into existence.  If 
> > chroot locks some of the likely tools out of reach, that means the attacks
> > that require them just won't work.
> > 
> > (For instance, one popular style of attack is the trojan-horse binary.  If
> > the directory you'd have to plant it is is just not part of your view of the
> > file system, however, then you don't have access regardless of what the
> > permission bits are or who owns it --- and that *particular* possibility is
> > closed off).
> Agreed. I just see so many holes in the chrooted environment that it is hard to
> distinguish it from the non-chrooted (thinking aleph-0 again). However,
> sticking to the finite, your point is correct. So, Randy, gonna put chroot in?
> Cheers,
> Ben.

chroot() is a good idea, but should probably be an option. No
problem for me since the server is running chroot()'d anyway.
Could be a pain in the butt for anyone else.

View raw message