CHROOT, home jailed and stuff

[rcgreen]

The exploit that you mentioned,
only talks about escaping from chroot, not elevating privelige,
I am not a programmer, and probably couldn't pull this off,
so I wouldn't be afraid of letting my friend compile something
as a normal user. Setting up the chroot jail with a compiler
isn't a trivial task either. Since I am not an admin at a nuclear
weapons lab, I don't have to worry about it. If you don't trust the guy,
there's no easy way to give him access without taking some small
risk.

[masster]

Originally posted by Net2Infinity
Okay if you wanted to install amule I sent you the link for the amule as an rpm package.

I installed and used for about a month those RPMs (version 2.0) that you are talking about till I got sick and tired of the many bugs that it had. Last version is 2.1.3 and has MANY improvments. I really hope that you have all data now.

@ rcgreen
I see that you dropped your story about elevating privileges and admitted you don't have any clue about HOW doing it. I heard so many stories about 13 yo kids breaking CIA computers that one more from you doesn't even bother me...

Originally posted by nihil
You should also consider basic human psychology............. if you create an atmosphere of mistrust you will simply be challenging the person to outwit you, and may well create a situation that would otherwise not have arisen.

I have no idea what are you talking about. But if you imply that he could stole my porn collection ... ok... I'm scared.

[nihil]

I have no idea what are you talking about. But if you imply that he could stole my porn collection

Absolutely not!.............. everyone here will tell you that my collection is far superior to yours....... I would have just asked for a contact number for him so we could have come to a "private arrangement"

My concern was a genuine observation of the rule that if you treat people like little schoolboys, you must expect them to behave as such?

Now, is there any reason why this guy actually needs to use your system for this development? I ask this because I have seen too many disasters when people have tried to develop on production equipment!!!

Could he develop offline and bring you a CD/DVD ?

[masster]

Originally posted by nihil Now, is there any reason why this guy actually needs to use your system for this development? I ask this because I have seen too many disasters when people have tried to develop on production equipment!!!

Flash news: he compiled amule 2.1.3 and did a GREAT job. Now amule forum has a new section for existing distro packages: RedHat 9.

But my question stays valid and unanswered: is there ANY OTHER solution for having a user "jailed" in his own yard but still having compilation rights?

If not, just say it so we can all close this topic and go to bed to our (neglected) girlfriends.

[rcgreen]

you dropped your story about elevating privileges

Never had a story.

What's he gonna do, elevate his priveliges, get root,
install a rootkit and brag about it on irc?

It wasn't myself I was referring to, and I was suggesting
that your paranoia wasn't justified, since there is really
not much harm he can do. It's only a computer.

[cgkanchi]

The solution as far as I can see, is to install FreeBSD 4.x or above since that has a more secure chroot() call than Linux does. It's mentioned in the very internet article that you linked to. Otherwise, the Linux chroot() call is less than secure and exploitable IF a privelege escalation vulnerability also exists on your system.
Remember, if the way a program is written makes it inherently vulnerable, there's not much you can do about it except write your own program that mimics the same functionality. You could theoretically write an alternative chroot program that doesn't use the chroot() system call. But any suggestions on how exactly to do this are far beyond my scope of knowledge.

Cheers,
cgkanchi

[nihil]

But my question stays valid and unanswered: is there ANY OTHER solution for having a user "jailed" in his own yard but still having compilation rights?

In a single word...............................

NO!

Why should there be? as I have mentioned, you do untrusted work in an untrusted (development) environment. That should be a fundamental part of your security model.

Please remember that physical security is of paramount importance yet is so frequently overlooked.

My view (and that of most military and security agencies) is that if you allow someone physical access or remote access with rights of a level such as compilation, you really do have to trust them

[masster]

allrighty then... so this pretty much wraps it. thank you for advice and patience.

I go now throw my Linux machine in a safe having only a tiny hole for network cable.
And guess what? I hired a genie with a mighty sword that guards it and chops heads (or packet HEADers ?) off if any hacker tries to get in.

Cheers

[the_JinX]

Lol .. I first replyed to the PM and only now discovered the thread.. here's the main part of the PM I wrote masster just now..

With compiling (or theoretically downloading) rights you can have people breaking out of the jail..
If you don't keep up-to date on your installed software compiling 'rights' might even let people gain root..

That said you should look at what packages you want to use and include those libraries..
So that would be gcc. the autotools and bintools etc..
Take a look inside the packages you would normally install for those functions.

I must add that the tutorial is a bit outdated..
But it does work.. I have a public secret shell acount myself for 'friends'

[phishphreek]

Just curious: If you don't trust them to be on the box or install software... then WHY would you let them compile source into a binary that you're going to run with your own privledges. You could be the one elevating the privledges for them. IF they modify the source code to include the backdoor or rootkit, and you install it, then you just made their job *that* much easier.

Why can't you just compile it yourself?