On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin <jhb@freebsd.org> wrote: > On Thursday, December 29, 2011 1:44:01 pm Xin Li wrote: >> On 12/29/11 10:43, John Baldwin wrote: >> > On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote: >> >> On 12/29/11 06:39, John Baldwin wrote: >> >>> Can you give some more details on why ftpd is triggering a >> >>> dlopen inside of the chroot? =C2=A0It would appear that that is >> >>> unrelated to helper programs (since setting a flag in libc in >> >>> ftpd can't possibly affect helper programs ability to use >> >>> dlopen() from within libc). >> >> >> >> Sure. =C2=A0That's because nsdispatch(3) would reload >> >> /etc/nsswitch.conf if it notices a change. =C2=A0After chroot() the >> >> file is considered as "chang"ed and thus it reloads the file as >> >> well as designated shared libraries. >> > >> > But ftpd has to be doing some operation that invokes an nss lookup >> > after entering the chroot for that to trigger, correct? >> >> Oh ok, that was the built-in ls(1). > > Were we not able to drop privilege before doing that? =C2=A0I.e. if you > forked a new process that dropped privilege before doing the ls > (similar to if you were to exec /bin/ls as a helper), would that not > have fixed this? No, it won't. This is arbitrary code execution and not just privilege escalation :( Cheers, --=20 Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"