chroot(2) security
Jim Anderson
jim at aob.uucp
Fri Oct 3 07:54:47 AEST 1986
In article <15879 at ucbvax.BERKELEY.EDU> ballou at brahms.UUCP (Kenneth R. Ballou) writes:
>In article <113 at nonvon.UUCP> apn at nonvon.UUCP (apn) writes:
>>In article <158 at itcatl.UUCP>, parris at itcatl.UUCP (Parris Hughes) writes:
>>> Could some wizard out there please clue me in as to why the chroot(2) call
>>> is only available to the super-user?
>>>
>> ... chroot to
>> /mnt23/user/test
>> and then procedes to exec /bin/login
>
>Wait a minute, now it's *my* turn to be missing something here. *Which*
>/bin/login? If the root directory is now actually /mnt23/user/test, then
>presumably we would be trying to execute /mnt23/user/test/bin/login, not
>the /bin/login that is setuid root and which is able to log a user in.
But you could start by doing a link from /bin/login to
/mnt23/user/test/bin/login. Then, even though you don't have any special
permissions with respect to your linked bin/login, you can still execute
it from your login directory.
When you are done, and you want to get rid of the /bin/login in your
directory, rm will probably mention that you don't have write permission
on a file that you don't own, but since you do have write permission on
your bin directory, it will let you remove the file (ie you CAN still
clean up your trail).
Jim Anderson
More information about the Comp.unix.wizards
mailing list