At 15:02 23/01/2003 -0800, Greywolf wrote:
>         normal user a creates, say, a hierarchy under a mysteriously
>writable directory under the root filesystem, creating a hard link from
>/usr/bin/su to, say, /bogusdir/usr/bin/su.
>
>         said user manages to write his own copy of /etc/master.passwd
>with, say, root's encrypted passwd string removed.
>
>         said user makes an exec wrapper:
>
>main(){setuid(geteuid());seteuid(geteuid());execl("/bin/sh","-sh",0);}
>
>         ...compiles it and puts it in as /bogusdir/bin/hole.
>
>         chroot is not restricted.  User chroots into /bogusdir, runs
>/usr/bin/su.  Bingo.  No password.  He is now root.

ahem??? if a process can become root while it was not, then there's
an enor-mouss problem somewhere!

>This falls into the same category of "Under what conditions is it safe to
>point a loaded gun at oneself?", really.

If it was me, I'd allow anyone to chroot, as I see no design rationale for 
linking
chroot with access control. It's like in real life, being able to drink 
beer doesn't
give you the right to enter a bar....