CHROOT, home jailed and stuff - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: CHROOT, home jailed and stuff

  1. #11
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    The exploit that you mentioned,
    only talks about escaping from chroot, not elevating privelige,
    I am not a programmer, and probably couldn't pull this off,
    so I wouldn't be afraid of letting my friend compile something
    as a normal user. Setting up the chroot jail with a compiler
    isn't a trivial task either. Since I am not an admin at a nuclear
    weapons lab, I don't have to worry about it. If you don't trust the guy,
    there's no easy way to give him access without taking some small
    risk.
    I came in to the world with nothing. I still have most of it.

  2. #12
    Junior Member
    Join Date
    Jun 2005
    Posts
    20
    Originally posted by Net2Infinity
    Okay if you wanted to install amule I sent you the link for the amule as an rpm package.
    I installed and used for about a month those RPMs (version 2.0) that you are talking about till I got sick and tired of the many bugs that it had. Last version is 2.1.3 and has MANY improvments. I really hope that you have all data now.

    @ rcgreen
    I see that you dropped your story about elevating privileges and admitted you don't have any clue about HOW doing it. I heard so many stories about 13 yo kids breaking CIA computers that one more from you doesn't even bother me...

    Originally posted by nihil
    You should also consider basic human psychology............. if you create an atmosphere of mistrust you will simply be challenging the person to outwit you, and may well create a situation that would otherwise not have arisen.
    I have no idea what are you talking about. But if you imply that he could stole my porn collection ... ok... I'm scared.

  3. #13
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I have no idea what are you talking about. But if you imply that he could stole my porn collection
    Absolutely not!.............. everyone here will tell you that my collection is far superior to yours....... I would have just asked for a contact number for him so we could have come to a "private arrangement"

    My concern was a genuine observation of the rule that if you treat people like little schoolboys, you must expect them to behave as such?

    Now, is there any reason why this guy actually needs to use your system for this development? I ask this because I have seen too many disasters when people have tried to develop on production equipment!!!

    Could he develop offline and bring you a CD/DVD ?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #14
    Junior Member
    Join Date
    Jun 2005
    Posts
    20
    Originally posted by nihil Now, is there any reason why this guy actually needs to use your system for this development? I ask this because I have seen too many disasters when people have tried to develop on production equipment!!!
    Flash news: he compiled amule 2.1.3 and did a GREAT job. Now amule forum has a new section for existing distro packages: RedHat 9.

    But my question stays valid and unanswered: is there ANY OTHER solution for having a user "jailed" in his own yard but still having compilation rights?

    If not, just say it so we can all close this topic and go to bed to our (neglected) girlfriends.

  5. #15
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    you dropped your story about elevating privileges
    Never had a story.

    What's he gonna do, elevate his priveliges, get root,
    install a rootkit and brag about it on irc?
    It wasn't myself I was referring to, and I was suggesting
    that your paranoia wasn't justified, since there is really
    not much harm he can do. It's only a computer.
    I came in to the world with nothing. I still have most of it.

  6. #16
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    The solution as far as I can see, is to install FreeBSD 4.x or above since that has a more secure chroot() call than Linux does. It's mentioned in the very internet article that you linked to. Otherwise, the Linux chroot() call is less than secure and exploitable IF a privelege escalation vulnerability also exists on your system.
    Remember, if the way a program is written makes it inherently vulnerable, there's not much you can do about it except write your own program that mimics the same functionality. You could theoretically write an alternative chroot program that doesn't use the chroot() system call. But any suggestions on how exactly to do this are far beyond my scope of knowledge.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  7. #17
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    But my question stays valid and unanswered: is there ANY OTHER solution for having a user "jailed" in his own yard but still having compilation rights?
    In a single word...............................

    NO!

    Why should there be? as I have mentioned, you do untrusted work in an untrusted (development) environment. That should be a fundamental part of your security model.

    Please remember that physical security is of paramount importance yet is so frequently overlooked.

    My view (and that of most military and security agencies) is that if you allow someone physical access or remote access with rights of a level such as compilation, you really do have to trust them
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  8. #18
    Junior Member
    Join Date
    Jun 2005
    Posts
    20
    allrighty then... so this pretty much wraps it. thank you for advice and patience.

    I go now throw my Linux machine in a safe having only a tiny hole for network cable.
    And guess what? I hired a genie with a mighty sword that guards it and chops heads (or packet HEADers ?) off if any hacker tries to get in.

    Cheers

  9. #19
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    Lol .. I first replyed to the PM and only now discovered the thread.. here's the main part of the PM I wrote masster just now..

    With compiling (or theoretically downloading) rights you can have people breaking out of the jail..
    If you don't keep up-to date on your installed software compiling 'rights' might even let people gain root..

    That said you should look at what packages you want to use and include those libraries..
    So that would be gcc. the autotools and bintools etc..
    Take a look inside the packages you would normally install for those functions.

    I must add that the tutorial is a bit outdated..
    But it does work.. I have a public secret shell acount myself for 'friends'
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  10. #20
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Just curious: If you don't trust them to be on the box or install software... then WHY would you let them compile source into a binary that you're going to run with your own privledges. You could be the one elevating the privledges for them. IF they modify the source code to include the backdoor or rootkit, and you install it, then you just made their job *that* much easier.

    Why can't you just compile it yourself?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides