-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/08/11 13:52, Mike Tancsa wrote: > On 11/30/2011 8:37 PM, Mike Tancsa wrote: >> On 11/30/2011 8:16 PM, Xin LI wrote: >>> >>> Sorry I patched at the wrong place, this one should do. >>> >>> Note however this is not sufficient to fix the problem, for >>> instance one can still upload .so's that run arbitrary code at >>> his privilege, which has to be addressed in libc. I need some >>> time to play around with libc to really fix this one. >> >> Hi, Yes, that looks better! With respect to users uploading .so >> files, I guess why not just upload executables directly ? >> Although I suppose if they are not allowed to execute anything, >> this would be a way around that. >> >> Now to prod the proftpd folks > > I was testing sshd when the user's sftp session is chrooted to see > how it behaves. Because of the safety design of the way sshd is > written, its not possible to do this out of the box. The person > would first need to create those files as root since the chroot > directory is not writeable by the user as explained in > http://www.gossamer-threads.com/lists/openssh/dev/44657 > > But if somehow the user is able to create those directories at the > top, or those directories are created ahead of time for the user > thats writeable by them, the bogus lib will and does run in the > user's context. > > I dont imagine this is common, but I am sure there is some > potential foot shooting going on. Looking at the scponly port, it > seems well aware of this based on the suggested setup. But again, > foot shooting could happen if the lib path is not secured > properly. > > Other than having /etc/nsswitch.conf, are there any other methods > that would trigger loading of shared libs in the chrooted > environment ?
PAM and iconv (not enabled by default) come to mind. Cheers, - -- Xin LI <delp...@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7hORAACgkQOfuToMruuMCzZACfSmhjQjXck5tQGbMWuKhnQvjo JuwAn2odZWw9Lw8nUqtbl8c2Jzysz/oc =QAvJ -----END PGP SIGNATURE----- _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
