tech-security: Re: Escaping a chroot jail

Subject: Re: Escaping a chroot jail
To: None <tech-security@netbsd.org>
From: Bernd Sieker <bsieker@rvs.uni-bielefeld.de>
List: tech-security
Date: 07/14/2005 15:12:30

On 14.07.05, 08:42:04, Steven M. Bellovin wrote:
> 
> Right.  As I noted in my earlier post, chroot() isn't proof against 
> root.
> 
> As for the default security level of 1 -- for anyone who wants to run 
> X, that's simply not possible.  I understand why, of course, but it 
> doesn't help with everything else. 

But that's what we have the aperture lkm for. It allows exactly one
process to get r/w access to the memory space of the VGA board. AFAIK
almost all modern drivers work with this workaround. In all other
respects it still has all the features of a normal kernel running
at securelevel 1. No write access to devices of mounted disks, no
access to /dev/(k)mem, ...

See also
  ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/sysutils/aperture/README.html

boa:~> ps uax | grep X
root    12637  3.8 10.1 40016  52884 ??  Ss   28Jun05 1324:24.35 /usr/X11R6/bin/X vt05 -terminate -once 
boa:~> sysctl kern.securelevel
kern.securelevel = 1

I'm running accelerated X on some ATI chipset, the name of which
I can't remember.

> 
> 		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
> 
> 

-- 
Bernd Sieker

Anagrams for NetBSD-core:
  Cot Benders
  Be stern, Doc.
  Net robs DEC
  DEC robs Net
		-- Julian Assange