chroot(2) security

Jim Webb jrw at hropus.UUCP
Sat Oct 4 03:45:06 AEST 1986


> In article <113 at nonvon.UUCP>, apn at nonvon.UUCP (apn) writes:
> 
> > 	write a program that changes the root directory to /mnt23/user/test
> > 	and then procedes to exec /bin/login
> 
> 	On our system, login only has execute permission for root.

True here as well, but some sites setuid root login so that people can
say "exec login" to come in as another user w/o problems.  Who nows why
one would want to, though...

> But, one can link in the 'su' command! Even if the /bin directory is
> execute only!

As an aside, if /bin were not readable, no one could use PATH to find anything
in it, not tooo cool, if you ask me...

>                The resulting superuser process could then *modify* the
> su program to allow a special root password after leaving the chroot process.
> (Otherwise, even the root process could not access anything below the new
> root directory.)

It is even easier.  Assume for a moment that /tmp is actually in root instead
of being its on filesystem.  Now, make an etc and bin directory in /tmp.
ln the real /etc/passwd into /tmp/etc/realpasswd and make a /tmp/etc/passwd
with a passwdless root entry.  ln in /bin/su into /tmp/bin/su and copy /bin/sh
there too, although you could link it as well.  Make sure to do the same for
/bin/ed.  (I guess you would need some /dev entries, too.) Now chroot to /tmp
to run su and edit /etc/realpasswd.  When it is written out, you could have
added in a new root entry.
-- 
Jim Webb             "Out of phase--get help"          ...!ihnp4!hropus!jrw



More information about the Comp.unix.wizards mailing list