Security
guy at rlgvax.UUCP
guy at rlgvax.UUCP
Mon Jul 11 05:00:23 AEST 1983
1) Anybody out there know *why* the 4.1BSD manuals don't document "chroot"?
The V7 manual does, and the System III and System V manuals do.
2) On a vanilla V7 system "chroot" is *not* secure. You can reference above
your fake root with "..". This bug has been fixed in 4.1BSD and in System III
and later USG releases. In fact, there is an undocumented feature of the
System III "login"; if the user's login shell begins with "*" (or is "*"),
"login" changes the root to the home directory specified in the password file,
prints "Subsystem root: <that_directory>", and attempts to run "/etc/login"
and, if that fails, "/bin/login" from the new root. The System V login does
all this (which implies it wasn't just a hack) and also sticks the string
<!sublogin> in the environment (that's right, a string in the environment with
no "=" in it!). My interpretation of this is that you put an entry for the
*subsystem*, not for the *user*, in the password file (i.e., if you had a
subsystem called "anonymous", you would have:
anonymous:<encrypted subsystem password>:<uid>:<gid>:<name>:/anonymous:*
in the password file. Then you would put the password file for the anonymous
user subsystem in "/anonymous/etc/passwd", and either a copy of/link to
"/etc/login" or a special login program in "/anonymous/etc/login". Is this
how it is intended to be used? And why is it not documented in the System III
or System V documentation?
Guy Harris
{seismo,mcnc,we13,brl-bmd,allegra}!rlgvax!guy
More information about the Comp.unix.wizards
mailing list