[prev in list] [next in list] [prev in thread] [next in thread]
List: klik-devel
Subject: Re: [klik-devel] sudo chroot
From: "Fabian Franz" <FabianFranz () gmx ! de>
Date: 2008-03-11 3:34:45
Message-ID: 20080311033445.261680 () gmx ! net
[Download RAW message or body]
> On Monday 03 March 2008 03:52:54 you wrote:
> > did you ever figure out why you cant
> > sudo chroot onto a mount point using fusioniso ?
> > Jason
>
> To allow root access to a fuse mount point, you need to add
> "user_allow_other"
> into the /etc/fuse.conf directory and concat "-o allow_root" at the end of
> the fusioniso instanciation.
That is good to know, however couldn't you do a suid binary like:
chroot(klik_path);
setuid(getuid());
argv++;
execl(argv[0], argv);
chroot is completely harmless if the mount point to change to is mounted with \
nosuid,nodev.
However you would still need to bind mount /dev and /tmp/.X11-unix (or /tmp only).
And this bind mounts would be visible for all users and also not vanish \
automatically.
So working could be:
clone(CLONE_NEWS);
parent: wait for child
child:
// check if klik_path is okay to use (mounted nosuid,nodev) and then do
// bind mount /dev
// bind mount /tmp
chroot(klik_path);
// drop priviledges
setuid(getuid());
argv++;
execl(argv[0], argv);
However then you could directly use the pivot_root solution with a somewhat simpler \
interface.
And if the fusermount does not allow suid mounts (which it hopefully does not), this \
is secure as well.
... or not.
The user could still umount the dir in between the check and the chroot such having \
access to chroot anywhere, which is not secure.
Example: fusermount iso.iso /mynewroot/
klik_suid &
umount /mynewroot # race condition
$ pwd
/
$ ls
this_is_mynewroot.txt [...]
So, unfortunately, there is no way around what I wrote so far.
Have the suid binary mount the one part of the fuse fs (as root with nosuid,nodev) + \
the bind mounts and have the userland deliver the server (fusioniso).
cu
Fabian
_______________________________________________
klik-devel mailing list
klik-devel@kde.org
https://mail.kde.org/mailman/listinfo/klik-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic