Return to BSD News archive
Xref: sserve comp.os.386bsd.bugs:2597 comp.os.386bsd.questions:14437 Newsgroups: comp.os.386bsd.bugs,comp.os.386bsd.questions Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.uwa.edu.au!DIALix!metapro!bernie From: bernie@metapro.DIALix.oz.au (Bernd Felsche) Subject: Re: chroot() in FreeBSD 1.1.5.1 Message-ID: <Cz8xvH.AwM@metapro.DIALix.oz.au> Organization: MetaPro Systems, Perth, Western Australia References: <39vvl6$90m@clavin.uprc.com> <3a06kq$9bs@dagny.galt.com> <3a102b$2le@nyheter.chalmers.se> Date: Mon, 14 Nov 1994 07:23:41 GMT Lines: 23 In <3a102b$2le@nyheter.chalmers.se> augustss@cs.chalmers.se (Lennart Augustsson) writes: >In article <3a06kq$9bs@dagny.galt.com> alex@pc.cc.cmu.edu (alex wetmore) writes: >> I'm not sure why its implemented this way. I thought I would find an >> answer in Leffler, et al, but I just checked and it didn't say. The source >> code for the system call doesn't say either. >Making chroot is available to anyone is not secure. >Just make a directory foo, make a foo/etc/passwd with empty root >password in it. Then make a link from /bin/su to foo/bin/su, >chroot to foo. Run su. Voila, you're now root. The link would only work if on the same filesystem. Normally, users would only get write access to that filesystem via /tmp. If /tmp is on another filesystem from /bin or /sbin, that prevents such perversions. However, there are other known methods of attack. -- Bernd Felsche, MetaPro Systems Pty Ltd 328 Albany Highway, Victoria Park, Western Australia Phone: +61 9 362 9355 Fax: +61 9 472 3337