On Mon, 13 Feb 1995 mcr @
milkyway .
com wrote:
> Why chroot is not for mortal users:
> I can fool a whole bunch of programs into using my /etc/passwd
> rather than the system one, and if I do
> % cd /bin
> % chroot /my/new/root
> % su
>
> I can get root. But we aren't talking about letting chroot be a
> general tool, just letting some programs use based on gid rather uid.
chroot(2) is limited to superuser. any other user's invokation fails
with EPERM. chroot(8) calls chroot(".") to test the user's privilege
level immediately after checking that argc > 1.
the above "attack" requires superuser privilege to succeed.
this is based upon 4.3BSD and 4.3BSD code as reflected in FreeBSD
1.1.5.1. chroot(8) in FreeBSD 2.0 has been rewritten to use getopt(2)
before chroot(2)--no effective change here.
SunOS 4.1.3 seems impervious as well. ???
Jonathan M. Bresler jmb @
kryten .
atinc .
com | Analysis & Technology, Inc.
| 2341 Jeff Davis Hwy
play go. | Arlington, VA 22202
ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346
|
|
