[Luke Mewburn <lukem@wasabisystems.com>] LD_CHROOT idea

From: Slawek Zak (zaks@prioris.mini.pw.edu.pl)
Date: 04/09/01


From: Slawek Zak <zaks@prioris.mini.pw.edu.pl>
To: freebsd-security@freebsd.org
Date: 09 Apr 2001 20:08:17 +0200

I post it in case you don't follow the NetBSD security list... What do
you think about the following idea? It would greatly simplify building
chrooted environments but are there any negative implications?

--------------------[ Forwarded message ]-----------------------------

Date: Fri, 6 Apr 2001 15:57:07 +1000
From: Luke Mewburn <lukem@wasabisystems.com>
To: tech-security@netbsd.org
Subject: LD_CHROOT idea

Hi people.

Matt Green told me about a proposal that Julian Assange made a few
years ago, and the more I consider it, the more I think it might
be useful.

The idea is to add a few more environment variables to ld.so;
        LD_CHROOT directory to chdir(2) then chroot(2) to
        LD_CHROOT_UID uid to run as (optional)
        LD_CHROOT_GID gid to run as (optional)
        LD_CHROOT_GIDS comma separated list of secondary gids (optional)

If LD_CHROOT is set and the process isn't setuid or setgid, then
before the actual entry into the process, ld.so chroot(2)s to
$LD_CHROOT, sets up the secondary groups, gid, and uid (if requested).
All of the LD_CHROOT* variables are cleared from the environment,
even if they're not used.

The benefits of this approach is that you:

        * don't need to have the shared libraries inside the chroot jail,
          which improves maintainability of N chroot jails.

        * don't need to have the binary inside the chroot jail,
          which means it can't be modified if the binary is attacked

Of course, this assumes that the VM system protects shared library
pages mapped in read-only. And you still need to put your config
files and a syslog socket in the cage, but that's trivial to
maintain.

I've got a sample implementation of this and it seems to work as
expected.

Comments?

PS: I'll add support into the rc.d stuff to take advantage of this if
we go ahead, for run_rc_command to detect whether to use LD_CHROOT or
chroot(8) depending on options passed in and if the program is static
or dynamic.

----------------------------------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: ENV variable NOT recognized ! Reboot really necessary ????
    ... this will only change the environment block for new processes created *after* the change. ... Existing processes will keep on using their current environment block, which is the same as it was before you made the change. ... But an application needs to be written to explicitly do this; there's no mechanism in the operating system to universally update environment variables on the fly for running processes. ... For example, say you had a command prompt open, and you run a SET command to display the current variables. ...
    (microsoft.public.windowsxp.help_and_support)
  • [REVS] Using Environment for Returning Into Lib C
    ... This article explains how to use the environment variables to successfully ... The environment will consequently be used to store it. ... It is easy to write a simple program to put the command directly into the ... declare -x COLORTERM="" ...
    (Securiteam)
  • Re: SSH environment variable passing
    ... has to be a capability of both the client and the server. ... to support only a couple of specific environment variables. ... I have been told that allowing unlimited environment variables to be set ... A parallel situation exists in telnet. ...
    (SSH)
  • Re: Multiple interpreters retaining huge amounts of memory
    ... environment variable separation for changes made unique to a sub ... you can make changes to environment variables ... extension module in different sub interpreters, ...
    (comp.lang.python)
  • Re: [Info-Ingres] getenv, NMgtAtt and OME
    ... that I can just toggle with an environment variable. ... It's all about context - your OME function is being called from the ... variable - just like how normal Ingres can look for user ... environment variables such as II_DATE_FORMAT etc... ...
    (comp.databases.ingres)