On 11/30/2011 8:37 PM, Mike Tancsa wrote: > On 11/30/2011 8:16 PM, Xin LI wrote: >> >> Sorry I patched at the wrong place, this one should do. >> >> Note however this is not sufficient to fix the problem, for instance >> one can still upload .so's that run arbitrary code at his privilege, >> which has to be addressed in libc. I need some time to play around >> with libc to really fix this one. > > Hi, > Yes, that looks better! With respect to users uploading .so files, I > guess why not just upload executables directly ? Although I suppose if > they are not allowed to execute anything, this would be a way around that. > > Now to prod the proftpd folks
I was testing sshd when the user's sftp session is chrooted to see how it behaves. Because of the safety design of the way sshd is written, its not possible to do this out of the box. The person would first need to create those files as root since the chroot directory is not writeable by the user as explained in http://www.gossamer-threads.com/lists/openssh/dev/44657 But if somehow the user is able to create those directories at the top, or those directories are created ahead of time for the user thats writeable by them, the bogus lib will and does run in the user's context. I dont imagine this is common, but I am sure there is some potential foot shooting going on. Looking at the scponly port, it seems well aware of this based on the suggested setup. But again, foot shooting could happen if the lib path is not secured properly. Other than having /etc/nsswitch.conf, are there any other methods that would trigger loading of shared libs in the chrooted environment ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
