*BSD News Article 37863


Return to BSD News archive

Xref: sserve comp.os.386bsd.bugs:2597 comp.os.386bsd.questions:14437
Newsgroups: comp.os.386bsd.bugs,comp.os.386bsd.questions
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.uwa.edu.au!DIALix!metapro!bernie
From: bernie@metapro.DIALix.oz.au (Bernd Felsche)
Subject: Re: chroot() in FreeBSD 1.1.5.1
Message-ID: <Cz8xvH.AwM@metapro.DIALix.oz.au>
Organization: MetaPro Systems, Perth, Western Australia
References: <39vvl6$90m@clavin.uprc.com> <3a06kq$9bs@dagny.galt.com> <3a102b$2le@nyheter.chalmers.se>
Date: Mon, 14 Nov 1994 07:23:41 GMT
Lines: 23

In <3a102b$2le@nyheter.chalmers.se>
   augustss@cs.chalmers.se (Lennart Augustsson) writes:

>In article <3a06kq$9bs@dagny.galt.com> alex@pc.cc.cmu.edu (alex wetmore) writes:
>>    I'm not sure why its implemented this way.  I thought I would find an 
>>    answer in Leffler, et al, but I just checked and it didn't say.  The source
>>    code for the system call doesn't say either.
>Making chroot is available to anyone is not secure.

>Just make a directory foo, make a foo/etc/passwd with empty root
>password in it.  Then make a link from /bin/su to foo/bin/su,
>chroot to foo.  Run su.  Voila, you're now root.

The link would only work if on the same filesystem. Normally, users
would only get write access to that filesystem via /tmp.  If /tmp
is on another filesystem from /bin or /sbin, that prevents such
perversions.

However, there are other known methods of attack.
-- 
Bernd Felsche, MetaPro Systems Pty Ltd
328 Albany Highway, Victoria Park, Western Australia
Phone: +61 9 362 9355  Fax: +61 9 472 3337