restricting acces via chroot()

klaus u schallhorn cnix!klaus at relay.eu.net
Sat Oct 27 09:10:00 AEST 1990


I just tripped over sun's dynamic linking when trying to do the following:

/etc/passwd entry:
badguy::15:14:test login to check out restrictions:/home/jail:/home/bin/lockup

In /home/bin/lockup I do:

	pwentry = getpwuid(getuid());
	badguy_home = pwentry->pw_dir;

	cd(badguy_home);
	chroot(badguy_home);	/* can't access anything higher now! */

	set_uid_and_gid();
	change_environment();

	execl("/bin/sh", "-sh", NULL);

As I can't access the real /bin anymore I made a dummy bin in /home/jail
containg a sh and a few things [like ls, rm, more...] "badguy" is allowed
to use.

All the system utilities that came with the distribution and that badguy
is allowed to use have been linked dynamically. The only thing that works
is the sh [staic loading, csh doesn't] and my own code loaded statically.
If I try to "ls" or any distribution program I get

	crt0.o: no /usr/lib/ld.so

If I add a fake usr/lib and a fake etc and copy the dynamic linker and its
cache: no change. If I [as root] rm "ls" and make a link to the real one
[which I would not want to] badguy can't use that either: the shell can't
follow the link because of chroot(). I'm truly locked up, but not the way
I wanted.

I really need the iron bars here, but I don't want to write my own ls and
various other things to load them with the static flag.

I'm using SunOS 4.1, /home/jail and the real /bin etc. are on different
disks.  In .profile I just set PATH to /bin, if badguy does a "set", it
reads:

HOME=/jail/badguy
IFS= 	

LOGNAME=badguy
MAILCHECK=600
OPTIND=1
PATH=/bin
PS1=$ 
PS2=> 
SHELL=/bin/sh
TERM=dialup
USER=badguy

Any ideas out there?

Thanks, klaus

send two QIC24 tapes for my signature



More information about the Comp.sys.sun mailing list