Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 17 Nov 2000 21:14:24 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 17 Nov 2000 21:14:13 -0500 Received: from esperi.demon.co.uk ([194.222.138.8]:6664 "EHLO esperi.demon.co.uk") by vger.kernel.org with ESMTP id ; Fri, 17 Nov 2000 21:13:59 -0500 To: Peter Samuelson Cc: linux-kernel@vger.kernel.org Subject: Re: Linux 2.2.18pre21 In-Reply-To: <20001116150704.A883@emma1.emma.line.org> <20001116171618.A25545@athlon.random> <20001116115249.A8115@wirex.com> <20001117003000.B2918@wire.cadcamlab.org> X-Emacs: because you deserve a brk today. From: Nix Date: 18 Nov 2000 01:38:58 +0000 In-Reply-To: Peter Samuelson's message of "17 Nov 2000 10:25:25 -0000" Message-ID: <87g0kq3vpp.fsf@loki.wkstn.nix> Lines: 18 User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Channel Islands) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Peter Samuelson writes: > Two easy "get out of jail free" cards. There are other, more complex > exploits. You have added one more. They all require root privileges. Unless I'm missing something, not all of them do. I haven't checked this or anything, but it seems to me that all you need is a cooperating process outside the jail, that opens some world-readable directory and sends it to the exploit process inside the jail, which fchdir()s to it. Of course you *do* need an AF_UNIX socket inside the jail for this, too, so it is probably a quite unlikely attack; but if, for instance, you reused an outside-the-jail uid *inside* the jail, and the jail had places writable by this user... bing, no root necessary. -- `The phrase `causes storage to be reserved', doesn't mean that it causes storage to be reserved. This is a fundamental misunderstanding of Standardeze.' --- Mike Stump on the GCC list - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/