| ▲ | 866-RON-0-FEZ 8 hours ago |
| Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment? For my next trick I will demonstrate how to break into my own house to open the blinds by using my keys. Security researcher theatrics will never not be funny. |
|
| ▲ | gjm11 8 hours ago | parent | next [-] |
| Maybe I'm misunderstanding the video, but it looks to me as if the situation is: You are root inside a sandbox. As root-in-the-sandbox, you create a symlink and this gives you the ability to escape the sandbox. (Whether this is interesting or not depends on whether anyone actually tries to use the sandbox facility in such a way as to give root-in-the-sandbox privileges to untrusted people or code. I don't know enough about OpenBSD to answer that.) |
| |
| ▲ | wahern 31 minutes ago | parent | next [-] | | unveil was designed and intended to effectively sandbox root when combined with sufficiently strict pledge permissions. I don't think this exploit would have effected any existing OpenBSD services, but sometimes services need to keep around processes with higher privileges than the network-facing process, yet you still want to sandbox them as much as possible. For example, sshd uses a special auth process, and that process needs higher privileges to be able to access the password database. On OpenBSD this auth process doesn't need root, but there may be similar cases where you want to use unveil with a root process for defense-in-depth. Suffice it to say, it would be foolish to only use unveil with such processes. The bug here actually involved the intersection of unveil and pledge. IIUC, it was more a pledge bug that accidentally allowed bypassing unveil checks. | |
| ▲ | ori_b 7 hours ago | parent | prev | next [-] | | OpenBSD doesn't do different user accounts inside vs outside sandboxes; if you're root in the sandbox, you're root on the system. | | |
| ▲ | anthk 5 hours ago | parent [-] | | Also I tried the Dirtyfrag exploit under Bubblewrap for GNU/Linux. It lasted, but finally I got root with a simple 'su'. |
| |
| ▲ | 866-RON-0-FEZ 7 hours ago | parent | prev [-] | | So what? You're still root. You're relying on a sandbox to plug a few voids while you still effectively held keys to the kingdom before said voids were plugged. I hear this excuse daily from developers who insist on running all their docker containers as root "because we have to". If you're relying on a sandbox as your first line of defense you've already lost the war. | | |
|
|
| ▲ | SmirkingRevenge 6 hours ago | parent | prev | next [-] |
| The parents tone wasn't warranted, but bugs like this could be more serious if combined with privilege escalation bugs in the sandbox. Ideally, sandboxes should be like Vegas - what happens in the sandbox stays in the sandbox. (I'm just speaking hypothetically here, I'm not knowledgeable about OpenBSD or it's sandboxes) |
|
| ▲ | rs_rs_rs_rs_rs 8 hours ago | parent | prev [-] |
| >Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment Can you help figure out where does it say unveil does not really work when root is involved? |
| |
| ▲ | 866-RON-0-FEZ 8 hours ago | parent [-] | | You left a snarky comment, then paraded around a positively lame example as some sort of trophy. Here's what I can figure out: you need root to set up the environment just so. It's a don't-care. The end. | | |
| ▲ | 3form 8 hours ago | parent | next [-] | | So, a break out of chroot in a chroot jailed app would be a non-issue because I need root to set it up? | | |
| ▲ | yjftsjthsd-h 7 hours ago | parent [-] | | If you need root to set up the escape, then yes that is relatively uninteresting. Like, we know chroot can't contain root. | | |
| ▲ | 3form 6 hours ago | parent [-] | | Thanks. It was not evident from the example whether root inside of the sandbox is necessary - I assumed creating arbitrary symlinks doesn't require any particular capabilities, and there's nothing special about the locations. Though it's not clear to me now: - why was this patched then? - is the point about root that non-root wouldn't have access to passwd anyway? | | |
| ▲ | ori_b 5 hours ago | parent [-] | | OpenBSD doesn't have separate user accounts for sandboxes. These sandboxes are not linux-style containers, they're narrowed views of the full install. If you're root inside the sandbox, you're root outside it. This exploit requires you to already be root. | | |
| ▲ | 3form 3 hours ago | parent [-] | | But the issue of root and accessing outside of the sandbox is orthogonal, no? Even if you're logged in as XYZ, accessing XYZ's contents outside of the sandbox is still a breach and a problem. Or does this issue require actual root to manifest? | | |
| ▲ | ori_b 2 hours ago | parent [-] | | This path was special cased used to allow restricted applications to access time zone files, which are needed for time functions. Not any symlink will do, it has to be the specific one shown in the example exploit, or one of a small handful of others that were special cased for similar reasons. The place these symlinks live are owned by root. This is the same root user outside the sandbox as inside it. So, yes, you need to have root on the box to set up this exploit. |
|
|
|
|
| |
| ▲ | rs_rs_rs_rs_rs 8 hours ago | parent | prev [-] | | >Here's what I can figure out: you need root to set up the environment just so. I guess you just don't understand what unveil does. | | |
| ▲ | 866-RON-0-FEZ 8 hours ago | parent [-] | | Your arrogance is continued proof you could never comprehend the work that goes into building, releasing, and maintaining an entire OS, and your contributions will forever be limited to snarky negativity on message boards. | | |
| ▲ | rs_rs_rs_rs_rs 6 hours ago | parent [-] | | Anything on unveil and not about me? | | |
| ▲ | 866-RON-0-FEZ 5 hours ago | parent [-] | | If you think their code sucks to the point people should think twice about using it, I suggest you stop using OpenSSH immediately. Please be sure to let us know when your better, more secure replacement is ready. |
|
|
|
|
|
