[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-dev] more jk_jailuser bugs

From: Olivier Sessink
Subject: Re: [Jailkit-dev] more jk_jailuser bugs
Date: Tue, 15 Nov 2005 01:06:43 +0100
User-agent: Debian Thunderbird 1.0.2 (X11/20051002)

Stephen Tallowitz wrote:

>>>> saves me a lot of work (and thus more time for the parallel init
>>>> program I'm writing  :)  )
>> You're not by any chance involved in
>> http://initng.thinktux.net/index.php/Main_Page, which has received a
>> huge interest in the gentoo community? Didn't see your name there.

no, I'm working for a Debian parallel boot loader that is still
compatible with the Linux Standard Base using standard SysV init
scripts, but the numbering of the runlevels scripts is now optimized by
a separate program, and the parallel boot is starting all programs with
a same order-number at the same time.

>> I think the security problem stems from the fact that builtin
>> commands/functions of a programming language are usually linked
>> against some system libraries. So any modifying a system library or
>> the progamming language executables and libraries to gain root access
>> or install a rootkit can be watched by the popular checksum watchers
>> (tripwire et al). Executing a shell command basically leaves open the
>> possibility of anyone putting in an alias such as mv="rm -rf /" or
>> mv="install-my-rootkit". And aliases are probably not what
>> checksum-programms look out for. There are probably many ways to
>> inject such an alias to the root-user, there need only be one
>> incorrectly configured service or directory on a computer.
>> jk_jailuser is always executed as root, so being just that little bit
>> more security conscious might not be a bad idea.

good point, I agree, we should not execute mv on behalf of user root.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]