From: "H. Peter Anvin" <hpa@zytor.com>
To: linux-kernel@vger.kernel.org
Subject: Re: Linux 2.2.18pre21
Date: 16 Nov 2000 22:40:00 -0800 [thread overview]
Message-ID: <8v2js0$qpr$1@cesium.transmeta.com> (raw)
In-Reply-To: <E13u4XD-0001oe-00@the-village.bc.nu> <20001116171618.A25545@athlon.random> <20001116115249.A8115@wirex.com> <20001117003000.B2918@wire.cadcamlab.org>
Followup to: <20001117003000.B2918@wire.cadcamlab.org>
By author: Peter Samuelson <peter@cadcamlab.org>
In newsgroup: linux.dev.kernel
>
>
> [jesse]
> > 1. Your server closes all open directory file descriptors and chroots.
> > 2. Someone manages to run some exploit code in your process space which--
>
> mkdir("foo")
> chroot("foo")
BUG: you *MUST* chdir() into the chroot jail before it does you any
good at all!
I usually recommend:
mkdir("foo");
chdir("foo");
chroot(".");
> Bottom line: once you are in the chroot jail, you must drop root
> privileges, or you defeat the purpose. Security-conscious coders know
> this; it's not Linux-specific behavior or anything.
Indeed. They also know the above.
-hpa
--
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2000-11-17 7:10 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2000-11-10 3:07 Linux 2.2.18pre21 Alan Cox
2000-11-10 3:44 ` David S. Miller
2000-11-10 11:35 ` Benjamin Herrenschmidt
2000-11-10 15:42 ` Tom Rini
2000-11-10 15:34 ` David S. Miller
2000-11-10 10:59 ` Arnaud S . Launay
2000-11-10 10:52 ` David S. Miller
2000-11-16 14:07 ` Matthias Andree
2000-11-16 16:16 ` Andrea Arcangeli
2000-11-16 19:52 ` jesse
2000-11-16 20:02 ` chroot [Was: Re: Linux 2.2.18pre21] Kurt Roeckx
2000-11-16 21:40 ` Linux 2.2.18pre21 Alan Cox
2000-11-18 10:07 ` Rogier Wolff
2000-11-18 17:32 ` kuznet
2000-11-18 17:34 ` Rogier Wolff
2000-11-18 17:47 ` kuznet
2000-11-18 17:51 ` Rogier Wolff
2000-11-16 22:56 ` Matthias Andree
2000-11-17 6:30 ` Peter Samuelson
2000-11-17 6:40 ` H. Peter Anvin [this message]
2000-11-17 11:22 ` Peter Samuelson
2000-11-17 17:35 ` H. Peter Anvin
2000-11-17 11:34 ` Matthias Andree
2000-11-17 19:23 ` jesse
2000-11-18 20:44 ` Pavel Machek
2000-11-18 1:38 ` Nix
2000-11-21 4:19 ` Peter Samuelson
-- strict thread matches above, loose matches on Subject: below --
2000-11-10 9:28 willy tarreau
2000-11-10 9:44 ` Matti Aarnio
2000-11-10 9:57 ` Constantine Gavrilov
2000-11-10 10:14 ` Matti Aarnio
2000-11-10 10:22 ` Constantine Gavrilov
2000-11-10 10:51 ` Matti Aarnio
2000-11-10 19:11 ` Thomas Davis
2000-11-10 10:18 ` Constantine Gavrilov
2000-11-10 10:40 willy tarreau
2000-11-10 10:49 willy tarreau
2000-11-10 11:21 willy tarreau
2000-11-13 7:00 willy tarreau
2000-11-13 9:47 willy tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='8v2js0$qpr$1@cesium.transmeta.com' \
--to=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.