Subject: Re: chroot() behaviour? (was Re: tar ignores filenames that contain `..')
To: Greywolf <greywolf@starwolf.com>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 10/31/2002 14:05:56
># Actually netbsd chroot seems to have fixed the easy escape,
># can fchroot be used instead:
># fd = open("/",..);
># chroot(path);
># ....
># fchroot(fd);
>
>I just had a thought. Presumably, the reason for not permitting chroot()
>is that one could potentially hard link something like login or su into
>their tree, provide their own password databases and gain root access via
>a shell. At least that was the rationale explained to me for not allowing
>chroot() by normal users.
that's exactly it. it's trivial to do, too, and requires about three
minutes of thought. and a properly writable filesystem.
>What if chroot() were to create/cause exec semantics such that, if not
>called by a super-user, setuid/setgid would be ignored?
that would be...almost pointless, no? i mean, if the binary weren't
setuid *at all*, then root could still switch to the appropriate
uid/gid...
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
werdna@squooshy.com * "information is power -- share the wealth."