chroot(2) security
Kenneth R. Ballou
ballou at brahms.BERKELEY.EDU
Wed Oct 1 20:36:46 AEST 1986
In article <113 at nonvon.UUCP> apn at nonvon.UUCP (apn) writes:
>In article <158 at itcatl.UUCP>, parris at itcatl.UUCP (Parris Hughes) writes:
>> Could some wizard out there please clue me in as to why the chroot(2) call
>> is only available to the super-user? I'm probably missing something here,
>> but I don't see any potential security problems with it. Please E-mail your
>> response. Thanks.
>>
>> Parris {akgua|ihnp4}!gatech!itcatl!parris
>
> Let's do an experiment:
>
> Pretend that chroot can be executed by any user, then
> it follows that one could do the following:
>
> cd to your home directory ( or any directory you have write permission)
> (we will pretend it is /mnt33/user/test)
>
> make a subdirectory called "etc" in you directory
> (this is now /mnt33/user/test/etc)
>
> copy /etc/passwd to /mt33/user/test/etc/passwd
>
> edit out the passwd for root
>
> write a program that changes the root directory to
> /mnt23/user/test
> and then procedes to exec /bin/login
Wait a minute, now it's *my* turn to be missing something here. *Which*
/bin/login? If the root directory is now actually /mnt23/user/test, then
presumably we would be trying to execute /mnt23/user/test/bin/login, not
the /bin/login that is setuid root and which is able to log a user in.
> run the program and log in as the su.
> -alex p novickis
--------------
Kenneth R. Ballou ...!ucbvax!ucbbrahms!ballou
Dept. of Mathematics
Evans Hall
University of California
Berkeley, California 94720
More information about the Comp.unix.wizards
mailing list