chroot(2) security
Darryl P. Wagoner
dpw at rayssd.UUCP
Sat Oct 4 21:44:17 AEST 1986
> >
> > copy /etc/passwd to /mt33/user/test/etc/passwd
> >
> > edit out the passwd for root
> >
> > write a program that changes the root directory to
> > /mnt23/user/test
> > and then procedes to exec /bin/login
>
> Wait a minute, now it's *my* turn to be missing something here. *Which*
> /bin/login? If the root directory is now actually /mnt23/user/test, then
> presumably we would be trying to execute /mnt23/user/test/bin/login, not
> the /bin/login that is setuid root and which is able to log a user in.
>
> > run the program and log in as the su.
I think the part that was missed was the link from /bin/login and/or /bin/su
to /mnt23/user/test/bin/login or /mnt23/user/test/bin/su. This would work
only if /mnt23 was in the same file system as /bin. The trick is to make
a suid to root program .
--
Darryl Wagoner Raytheon Co.; Portsmouth RI; (401)-847-8000 x4089
best path {allegra|gatech|mirror|raybed2} -----\
next best {linus|ihnp4|cci632} ------------------>!rayssd!dpw
More information about the Comp.unix.wizards
mailing list