[Bug 121073] [kernel] [patch] run chroot as an unprivileged user

2022-09-20 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

Kubilay Kocak  changed:

   What|Removed |Added

   Priority|Normal  |---
   Assignee|b...@freebsd.org|tr...@freebsd.org
 Resolution|Overcome By Events  |FIXED
URL||https://reviews.freebsd.org
   ||/D30130
Version|8.0-CURRENT |12.2-RELEASE

--- Comment #14 from Kubilay Kocak  ---
^Triage:

 - Correct resolutions (FIXED .. 'issue as reported', by commit, even if not by
patch attached here)
 - Assign to committer that resolved
 - Add meta (review)
 - Set version to earliest (currently) supported branch/version

@trasz If this ended up being MFC'd to stable/13 (was probably current at the
time?) or stable/12, please set mfc-stableX flags as appropriate

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 121073] [kernel] [patch] run chroot as an unprivileged user

2022-09-20 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

Ed Maste  changed:

   What|Removed |Added

 Status|Open|Closed
 Resolution|--- |Overcome By Events

--- Comment #13 from Ed Maste  ---
Implemented in:

commit a40cf4175c90142442d0c6515f6c83956336699b
Author: Edward Tomasz Napierala 
Date:   Tue Jul 20 08:56:04 2021 +

Implement unprivileged chroot

This builds on recently introduced NO_NEW_PRIVS flag to implement
unprivileged chroot, enabled by `security.bsd.unprivileged_chroot`.
It allows non-root processes to chroot(2), provided they have the
NO_NEW_PRIVS flag set.

The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS
before chrooting.

Reviewed By:kib
Sponsored By:   EPSRC
Relnotes:   yes
Differential Revision:  https://reviews.freebsd.org/D30130

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 121073] [kernel] [patch] run chroot as an unprivileged user

2018-05-20 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

Julian Elischer  changed:

   What|Removed |Added

 CC||jul...@freebsd.org

--- Comment #12 from Julian Elischer  ---
If the ability to do this operation (unpriv chroot) is inherited, and the
ability to set that bit is only settable by root then a process can only do
this if a root ancestor has said that security is being lowered by this family
of processes. I would even go as far as saying secure level would disable it
along with a "no return" policy. (by which I mean once it is set in a process
and then used you cannot get that ability back ... full stop.)

This would allow the use of the functionality for "build machine" type
situations where in reality it is root or trusted proxy doing the chroot. In
addition it should be a one-shot.. you use it , you lose it.
With the advent of "everyone has there own computer" I am not sure how
important it is to have "real users"  be able to do builds.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 121073] [kernel] [patch] run chroot as an unprivileged user

2018-05-20 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

Eitan Adler  changed:

   What|Removed |Added

 Status|In Progress |Open

--- Comment #11 from Eitan Adler  ---
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "b...@freebsd.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 121073] [kernel] [patch] run chroot as an unprivileged user

2014-06-17 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

--- Comment #10 from Robert Watson rwat...@freebsd.org ---
Just to follow up on Nathan and my conversation on IRC, things are made rather
more complicated than one might hope by a gradual increase in the number of
processes, over time, with credential changes. For example, Mac OS X's
sandboxing system, based on our MAC Framework, frequently experiences domain
transitions, and we could anticipate similar changes.  It sounds like there is
a net agreement that adopting a nice model for finer-grained, role-based
privileges (e.g., the Solaris model) would have significant benefit to reducing
the exposure in the event something did go wrong with unprivileged chroot --
and solve a number of other problems (e.g., unprivileged DTrace, better
privilege-set abstractions for Jail), and is a worthy cause on the path to this
sort of change. However, unprivileged chroot() will remain a sticky problem as
programs of necessity place enormous trust in the UNIX filesystem namespace --
especially when it comes to features such as runtime linking, configuration
files, etc, so if there is any form of 'call-gate'-style privilege escalation
(e.g., setuid, setgid, TE MAC transitioning binaries), we could get ourselves
into trouble.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to freebsd-bugs-unsubscr...@freebsd.org

[Bug 121073] [kernel] [patch] run chroot as an unprivileged user

2014-06-16 Thread bz-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

Robert Watson rwat...@freebsd.org changed:

   What|Removed |Added

 CC||rwat...@freebsd.org

--- Comment #8 from Robert Watson rwat...@freebsd.org ---
A appreciate the desirability for the features implied by this change, but
given the propensity for vulnerabilities relating to chroot() in the past,
think we should take a very conservative approach to potentially adopting it. 
There's a particular concern with how it interacts with non-UNIX-ID-based
models -- e.g., MAC, Capsicum, Audit, Jail, as well as a future fine-grained
privilege model.

Overall, I'd rate this proposed change as extremely high risk; we will fix
multiple vulnerabilities in it in the future, and so that cost would need to
be carefully weighed against presumed benefit -- a fine-grained privilege model
in which PRIV_CHROOT is delegable to only specific users or roles would help
mitigate that risk.

I wonder if a more suitable name for the proposed P_NOSUGID would be
P_NOCREDCHANGE, and I also wonder if it should be CR_NOCREDCHANGE.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to freebsd-bugs-unsubscr...@freebsd.org

[Bug 121073] [kernel] [patch] run chroot as an unprivileged user

2014-06-16 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

--- Comment #9 from Nathan Whitehorn nwhiteh...@freebsd.org ---
There are, I think, two potential security issues here:
1. Many pieces of software assume that if you chroot and drop privileges, no
further chroot is possible.
2. There could be sneaky ways of obtaining privileges once no-new-privileges is
set.

(1) is pretty straightforward since we can just disallow unprivileged chroot
after any other chroot. (2) is the complex one. Are there others?

Some no-cred-change property for processes seems extremely useful from a
security perspective and, if we have one we could trust, this patch becomes
trivial. Would it make sense just to work on that first and come back to
unprivileged chroot later?

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to freebsd-bugs-unsubscr...@freebsd.org

[Bug 121073] [kernel] [patch] run chroot as an unprivileged user

2014-06-08 Thread bz-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

Nathan Whitehorn nwhiteh...@freebsd.org changed:

   What|Removed |Added

  Attachment #84994|0   |1
is obsolete||
 CC||nwhiteh...@freebsd.org

--- Comment #6 from Nathan Whitehorn nwhiteh...@freebsd.org ---
Created attachment 143547
  -- https://bugs.freebsd.org/bugzilla/attachment.cgi?id=143547action=edit
Prevents escape from unprivileged chroot

This fixes the issue of using this feature to escape from a chroot established
with privileges after dropping them by the simple expedient of unconditionally
preventing unprivileged chroot while already in a chroot.

The second issue raised (MAC transitions) I know nothing about and cannot
address.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to freebsd-bugs-unsubscr...@freebsd.org

[Bug 121073] [kernel] [patch] run chroot as an unprivileged user

2014-06-08 Thread bz-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

--- Comment #7 from ji...@quis.cx ---
I remember someone saying this could be exploited using rfork. I don't know why
it's not listed in this bug.

IIRC the problem was that fd_rdir (root of the processes) was stored in
proc-p_fd (struct filedesc) and the P_NOSUGID-flag in struct proc itself. One
could use rfork to create a new process with the same descriptor table and call
chroot in the child which would flag the child with P_NOSUGID but change to
root for the parent as well. The parent doesn't get P_NOSUGID however and will
be able to execve a setuid executable with a fake libc.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to freebsd-bugs-unsubscr...@freebsd.org