Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP id AA5713 ; Fri, 01 Jan 93 01:53:28 EST Xref: sserve comp.unix.bsd:9458 comp.unix.wizards:28099 alt.security:7247 Newsgroups: comp.unix.bsd,comp.unix.wizards,alt.security Path: sserve!manuel.anu.edu.au!munnari.oz.au!uunet!paladin.american.edu!howland.reston.ans.net!zaphod.mps.ohio-state.edu!cs.utexas.edu!convex!convex!tchrist From: Tom Christiansen <tchrist@convex.COM> Subject: Re: WEIRD IDEA? (chroot) Some corrections. Originator: tchrist@pixel.convex.com Sender: usenet@news.eng.convex.com (news access account) Message-ID: <1992Dec29.203231.21943@news.eng.convex.com> Date: Tue, 29 Dec 1992 20:32:31 GMT Reply-To: tchrist@convex.COM (Tom Christiansen) References: <1992Dec26.191816.26596@prime.mdata.fi> <1992Dec28.214412.29732@prime.mdata.fi> Nntp-Posting-Host: pixel.convex.com Organization: Convex Computer Corporation, Colorado Springs, CO Keywords: chroot, shadow login, pirates BBS X-Disclaimer: This message was written by a user at CONVEX Computer Corp. The opinions expressed are those of the user and not necessarily those of CONVEX. Lines: 15 Chroot may not be so wondrous as you may think. If your interloper should manage to crack root inside of the chroot box, you can still be in for big problems. A kmem or a disk device inode inside the box is as valid as one outside, allowing someone to peek anywhere in the kernel or disk or even poke himself out of the box! Remember also that privileged sockets have no concept of chroot, so anyone could be impersonated going over the net. --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "We don't care. We don't have to. We're the Phone Company."