[rs_rs_rs_rs_rs]

>Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment

Can you help figure out where does it say unveil does not really work when root is involved?

[866-RON-0-FEZ]

You left a snarky comment, then paraded around a positively lame example as some sort of trophy.

Here's what I can figure out: you need root to set up the environment just so. It's a don't-care. The end.

[3form]

So, a break out of chroot in a chroot jailed app would be a non-issue because I need root to set it up?

[yjftsjthsd-h]

If you need root to set up the escape, then yes that is relatively uninteresting. Like, we know chroot can't contain root.

[3form]

Thanks. It was not evident from the example whether root inside of the sandbox is necessary - I assumed creating arbitrary symlinks doesn't require any particular capabilities, and there's nothing special about the locations.

Though it's not clear to me now:

- why was this patched then?

- is the point about root that non-root wouldn't have access to passwd anyway?

[ori_b]

OpenBSD doesn't have separate user accounts for sandboxes. These sandboxes are not linux-style containers, they're narrowed views of the full install.

If you're root inside the sandbox, you're root outside it. This exploit requires you to already be root.

[3form]

But the issue of root and accessing outside of the sandbox is orthogonal, no? Even if you're logged in as XYZ, accessing XYZ's contents outside of the sandbox is still a breach and a problem. Or does this issue require actual root to manifest?

[rs_rs_rs_rs_rs]

>Here's what I can figure out: you need root to set up the environment just so.

I guess you just don't understand what unveil does.

[866-RON-0-FEZ]

Your arrogance is continued proof you could never comprehend the work that goes into building, releasing, and maintaining an entire OS, and your contributions will forever be limited to snarky negativity on message boards.

[rs_rs_rs_rs_rs]

Anything on unveil and not about me?

[866-RON-0-FEZ]

If you think their code sucks to the point people should think twice about using it, I suggest you stop using OpenSSH immediately.

Please be sure to let us know when your better, more secure replacement is ready.