| 1 |
different wrote: |
| 2 |
> On 16:21 Sun 14 Jun , 7v5w7go9ub0o wrote: |
| 3 |
>> [... SNIP ...] |
| 4 |
>> |
| 5 |
>> Nope.... that's all there is to the wrapper. |
| 6 |
>> |
| 7 |
>> gcc runchroot.c -o runchroot chown root runchroot chmod u+s |
| 8 |
>> runchroot |
| 9 |
> |
| 10 |
> Ouch. Do _not_ set the setuid-bit on runchroot. Otherwise it would be |
| 11 |
> a piece of cake for the intruder to gain root-privileges: |
| 12 |
> diff@mallory ~ $ ls -l runchroot -rwsr-xr-x 1 root root 7680 Jun 15 |
| 13 |
> 04:37 runchroot diff@mallory ~ $ ./runchroot -u root -d / -- /bin/sh |
| 14 |
> # id uid=0(root) gid=0(root) |
| 15 |
> groups=10(wheel),18(audio),27(video),1000(diff), 1007(qemu) # ls -l |
| 16 |
> /proc/self/root lrwxrwxrwx 1 root root 0 Jun 15 04:45 /proc/self/root |
| 17 |
> -> / |
| 18 |
> |
| 19 |
> /ck |
| 20 |
|
| 21 |
Thank you! for posting this!! |
| 22 |
|
| 23 |
TBH, I wondered about this. After updating to 64bit, I compiled |
| 24 |
runchroot and forgot to do the setuid-bit - yet everything *appears* to |
| 25 |
work fine; i.e. the user is changed to the designated, unprivileged |
| 26 |
user; However, I haven't confirmed that the privileges have also been |
| 27 |
dropped - they *seem* to have been. So I included the setuid advice |
| 28 |
provided in this link: <http://www.gammon.com.au/forum/?id=885> |
| 29 |
|
| 30 |
The source code makes no mention of setuid. |
| 31 |
|
| 32 |
Based on your note, I'll continue with a non-setuid setup. :-) |
Archives