-
August 20th, 2006, 09:42 PM
#11
The exploit that you mentioned,
only talks about escaping from chroot, not elevating privelige,
I am not a programmer, and probably couldn't pull this off,
so I wouldn't be afraid of letting my friend compile something
as a normal user. Setting up the chroot jail with a compiler
isn't a trivial task either. Since I am not an admin at a nuclear
weapons lab, I don't have to worry about it. If you don't trust the guy,
there's no easy way to give him access without taking some small
risk.
I came in to the world with nothing. I still have most of it.
-
August 20th, 2006, 10:07 PM
#12
Junior Member
Originally posted by Net2Infinity
Okay if you wanted to install amule I sent you the link for the amule as an rpm package.
I installed and used for about a month those RPMs (version 2.0) that you are talking about till I got sick and tired of the many bugs that it had. Last version is 2.1.3 and has MANY improvments. I really hope that you have all data now.
@ rcgreen
I see that you dropped your story about elevating privileges and admitted you don't have any clue about HOW doing it. I heard so many stories about 13 yo kids breaking CIA computers that one more from you doesn't even bother me...
Originally posted by nihil
You should also consider basic human psychology............. if you create an atmosphere of mistrust you will simply be challenging the person to outwit you, and may well create a situation that would otherwise not have arisen.
I have no idea what are you talking about. But if you imply that he could stole my porn collection ... ok... I'm scared.
-
August 20th, 2006, 10:57 PM
#13
I have no idea what are you talking about. But if you imply that he could stole my porn collection
Absolutely not!.............. everyone here will tell you that my collection is far superior to yours....... I would have just asked for a contact number for him so we could have come to a "private arrangement"
My concern was a genuine observation of the rule that if you treat people like little schoolboys, you must expect them to behave as such?
Now, is there any reason why this guy actually needs to use your system for this development? I ask this because I have seen too many disasters when people have tried to develop on production equipment!!!
Could he develop offline and bring you a CD/DVD ?
-
August 21st, 2006, 01:41 AM
#14
Junior Member
Originally posted by nihil Now, is there any reason why this guy actually needs to use your system for this development? I ask this because I have seen too many disasters when people have tried to develop on production equipment!!!
Flash news: he compiled amule 2.1.3 and did a GREAT job. Now amule forum has a new section for existing distro packages: RedHat 9.
But my question stays valid and unanswered: is there ANY OTHER solution for having a user "jailed" in his own yard but still having compilation rights?
If not, just say it so we can all close this topic and go to bed to our (neglected) girlfriends.
-
August 21st, 2006, 04:14 AM
#15
you dropped your story about elevating privileges
Never had a story.
What's he gonna do, elevate his priveliges, get root,
install a rootkit and brag about it on irc?
It wasn't myself I was referring to, and I was suggesting
that your paranoia wasn't justified, since there is really
not much harm he can do. It's only a computer.
I came in to the world with nothing. I still have most of it.
-
August 21st, 2006, 05:59 AM
#16
The solution as far as I can see, is to install FreeBSD 4.x or above since that has a more secure chroot() call than Linux does. It's mentioned in the very internet article that you linked to. Otherwise, the Linux chroot() call is less than secure and exploitable IF a privelege escalation vulnerability also exists on your system.
Remember, if the way a program is written makes it inherently vulnerable, there's not much you can do about it except write your own program that mimics the same functionality. You could theoretically write an alternative chroot program that doesn't use the chroot() system call. But any suggestions on how exactly to do this are far beyond my scope of knowledge.
Cheers,
cgkanchi
-
August 21st, 2006, 08:37 AM
#17
But my question stays valid and unanswered: is there ANY OTHER solution for having a user "jailed" in his own yard but still having compilation rights?
In a single word...............................
NO!
Why should there be? as I have mentioned, you do untrusted work in an untrusted (development) environment. That should be a fundamental part of your security model.
Please remember that physical security is of paramount importance yet is so frequently overlooked.
My view (and that of most military and security agencies) is that if you allow someone physical access or remote access with rights of a level such as compilation, you really do have to trust them
-
August 21st, 2006, 04:38 PM
#18
Junior Member
allrighty then... so this pretty much wraps it. thank you for advice and patience.
I go now throw my Linux machine in a safe having only a tiny hole for network cable.
And guess what? I hired a genie with a mighty sword that guards it and chops heads (or packet HEADers ?) off if any hacker tries to get in.
Cheers
-
August 21st, 2006, 11:12 PM
#19
Lol .. I first replyed to the PM and only now discovered the thread.. here's the main part of the PM I wrote masster just now..
With compiling (or theoretically downloading) rights you can have people breaking out of the jail..
If you don't keep up-to date on your installed software compiling 'rights' might even let people gain root..
That said you should look at what packages you want to use and include those libraries..
So that would be gcc. the autotools and bintools etc..
Take a look inside the packages you would normally install for those functions.
I must add that the tutorial is a bit outdated..
But it does work.. I have a public secret shell acount myself for 'friends'
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
August 22nd, 2006, 03:27 AM
#20
Just curious: If you don't trust them to be on the box or install software... then WHY would you let them compile source into a binary that you're going to run with your own privledges. You could be the one elevating the privledges for them. IF they modify the source code to include the backdoor or rootkit, and you install it, then you just made their job *that* much easier.
Why can't you just compile it yourself?
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|