undefined | Better HN

0 points866-RON-0-FEZ1mo ago0 comments

Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment?

For my next trick I will demonstrate how to break into my own house to open the blinds by using my keys.

Security researcher theatrics will never not be funny.

0 comments

11 comments · 3 top-level

gjm111mo ago· 5 in thread

Maybe I'm misunderstanding the video, but it looks to me as if the situation is:

You are root inside a sandbox. As root-in-the-sandbox, you create a symlink and this gives you the ability to escape the sandbox.

(Whether this is interesting or not depends on whether anyone actually tries to use the sandbox facility in such a way as to give root-in-the-sandbox privileges to untrusted people or code. I don't know enough about OpenBSD to answer that.)

ori_b1mo ago

OpenBSD doesn't do different user accounts inside vs outside sandboxes; if you're root in the sandbox, you're root on the system.

anthk1mo ago

Also I tried the Dirtyfrag exploit under Bubblewrap for GNU/Linux. It lasted, but finally I got root with a simple 'su'.

wahern1mo ago

unveil was designed and intended to effectively sandbox root when combined with sufficiently strict pledge permissions. I don't think this exploit would have effected any existing OpenBSD services, but sometimes services need to keep around processes with higher privileges than the network-facing process, yet you still want to sandbox them as much as possible. For example, sshd uses a special auth process, and that process needs higher privileges to be able to access the password database. On OpenBSD this auth process doesn't need root, but there may be similar cases where you want to use unveil with a root process for defense-in-depth. Suffice it to say, it would be foolish to only use unveil with such processes.

The bug here actually involved the intersection of unveil and pledge. IIUC, it was more a pledge bug that accidentally allowed bypassing unveil checks.

866-RON-0-FEZOP1mo ago

So what? You're still root. You're relying on a sandbox to plug a few voids while you still effectively held keys to the kingdom before said voids were plugged.

I hear this excuse daily from developers who insist on running all their docker containers as root "because we have to".

If you're relying on a sandbox as your first line of defense you've already lost the war.

MarsIronPI1mo ago

I think the idea is to not run programs as root in the sandbox.

rs_rs_rs_rs_rs1mo ago· 3 in thread

>Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment

Can you help figure out where does it say unveil does not really work when root is involved?

866-RON-0-FEZOP1mo ago

You left a snarky comment, then paraded around a positively lame example as some sort of trophy.

Here's what I can figure out: you need root to set up the environment just so. It's a don't-care. The end.

3form1mo ago

So, a break out of chroot in a chroot jailed app would be a non-issue because I need root to set it up?

1 more reply

rs_rs_rs_rs_rs1mo ago

>Here's what I can figure out: you need root to set up the environment just so.

I guess you just don't understand what unveil does.

1 more reply

SmirkingRevenge1mo ago

The parents tone wasn't warranted, but bugs like this could be more serious if combined with privilege escalation bugs in the sandbox.

Ideally, sandboxes should be like Vegas - what happens in the sandbox stays in the sandbox.

(I'm just speaking hypothetically here, I'm not knowledgeable about OpenBSD or it's sandboxes)

j / k navigate · click thread line to collapse

0 comments

11 comments · 3 top-level

gjm111mo ago· 5 in thread

Maybe I'm misunderstanding the video, but it looks to me as if the situation is:

You are root inside a sandbox. As root-in-the-sandbox, you create a symlink and this gives you the ability to escape the sandbox.

ori_b1mo ago

OpenBSD doesn't do different user accounts inside vs outside sandboxes; if you're root in the sandbox, you're root on the system.

anthk1mo ago

Also I tried the Dirtyfrag exploit under Bubblewrap for GNU/Linux. It lasted, but finally I got root with a simple 'su'.

wahern1mo ago

The bug here actually involved the intersection of unveil and pledge. IIUC, it was more a pledge bug that accidentally allowed bypassing unveil checks.

866-RON-0-FEZOP1mo ago

So what? You're still root. You're relying on a sandbox to plug a few voids while you still effectively held keys to the kingdom before said voids were plugged.

I hear this excuse daily from developers who insist on running all their docker containers as root "because we have to".

If you're relying on a sandbox as your first line of defense you've already lost the war.

MarsIronPI1mo ago

I think the idea is to not run programs as root in the sandbox.

rs_rs_rs_rs_rs1mo ago· 3 in thread

>Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment

Can you help figure out where does it say unveil does not really work when root is involved?

866-RON-0-FEZOP1mo ago

You left a snarky comment, then paraded around a positively lame example as some sort of trophy.

Here's what I can figure out: you need root to set up the environment just so. It's a don't-care. The end.

3form1mo ago

So, a break out of chroot in a chroot jailed app would be a non-issue because I need root to set it up?

1 more reply

rs_rs_rs_rs_rs1mo ago

>Here's what I can figure out: you need root to set up the environment just so.

I guess you just don't understand what unveil does.

1 more reply

SmirkingRevenge1mo ago

The parents tone wasn't warranted, but bugs like this could be more serious if combined with privilege escalation bugs in the sandbox.

Ideally, sandboxes should be like Vegas - what happens in the sandbox stays in the sandbox.

(I'm just speaking hypothetically here, I'm not knowledgeable about OpenBSD or it's sandboxes)

j / k navigate · click thread line to collapse