Re: pam_chroot-0.8 released

[John Newbigin <jn it swin edu au>]

Here is a more complete check procedure.  I have used this code so I 
hope it is secure :)

int verify_socket_path(char *name)
{
        int i = 0;
        char x;
        int result = 0;
        struct stat buf;

        name = strdup(name);

        while(name[i])
        {
                if(name[i] == '/')
                {
                        x = name[i + 1];
                        name[i + 1] = 0;
                        //printf("path = %s\n", name);
                        stat(name, &buf);
                        //printf("uid = %d gid = %d\n", buf.st_uid, 
buf.st_gid);
                        if(buf.st_uid != 0)
                        {
                                // make sure there is no user write access
                                if(buf.st_mode & S_IWUSR)
                                {
                                        result = -1;
                                        fprintf(stderr, "non root user 
has write access to %s\n", name);
                                }
                        }
                        if(buf.st_gid != 0)
                        {
                                // make sure there is no group write access
                                if(buf.st_mode & S_IWGRP)
                                {
                                        result = -1;
                                        fprintf(stderr, "non root group 
has write access to %s\n", name);
                                }
                        }
                        // make sure there is no group write access
                        if(buf.st_mode & S_IWOTH)
                        {
                                result = -1;
                                fprintf(stderr, "all users have write 
access to %s\n", name);
                        }
                        name[i + 1] = x;
                }
                i++;
        }

        free(name);
        return result;
}

Solar Designer wrote:

> On Tue, May 04, 2004 at 08:23:07PM -0500, Ed Schmollinger wrote:
>
> > pam_chroot-0.8 has been released.   Kudos to Heiko Hund for contribution
> > of some nifty ideas and code to implement them.
> >
> > The new version is available from
> > http://sourceforge.net/projects/pam-chroot/
>
>
> You could want to check out this patch:
>
> cvs -d :pserver:anoncvs:anoncvs anoncvs owl openwall com:/cvs co Owl/packages/pam/pam-0.75-owl-pam_chroot.diff
>
> It is not against your version, but it is relevant to it as well.
>
> Basically, the point is that it is unsafe to chroot() to a path which
> contains directories writable by an untrusted user.  Unfortunately,
> few people realize that, so this kind of misuse of chroot() is all too
> common.


--
John Newbigin - Computer Systems Officer
School of Information Technology
Swinburne University of Technology
Melbourne, Australia
http://www.it.swin.edu.au/staff/jnewbigin