Subject: Re: chroot() behaviour? (was Re: tar ignores filenames that contain `..')
To: Greywolf <greywolf@starwolf.com>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 10/31/2002 14:05:56
># Actually netbsd chroot seems to have fixed the easy escape,
># can fchroot be used instead:
># 	fd = open("/",..);
># 	chroot(path);
># 	....
># 	fchroot(fd);
>
>I just had a thought.  Presumably, the reason for not permitting chroot()
>is that one could potentially hard link something like login or su into
>their tree, provide their own password databases and gain root access via
>a shell.  At least that was the rationale explained to me for not allowing
>chroot() by normal users.

that's exactly it.  it's trivial to do, too, and requires about three
minutes of thought.  and a properly writable filesystem.

>What if chroot() were to create/cause exec semantics such that, if not
>called by a super-user, setuid/setgid would be ignored?

that would be...almost pointless, no?  i mean, if the binary weren't
setuid *at all*, then root could still switch to the appropriate
uid/gid...

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."