Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!unmvax!ncar!tank!shamash!nic.MR.NET!hal!ncoast!allbery From: allbery@NCoast.ORG (Brandon S. Allbery) Newsgroups: comp.sources.d Subject: Re: Safer unsharing Message-ID: <1989Oct15.010101.27015@NCoast.ORG> Date: 15 Oct 89 01:01:01 GMT References: <15018@bloom-beacon.MIT.EDU> Reply-To: allbery@ncoast.ORG (Brandon S. Allbery) Followup-To: comp.sources.d Organization: North Coast Public Access UN*X, Cleveland, OH Lines: 28 As quoted from <15018@bloom-beacon.MIT.EDU> by drw@math.mit.edu (Dale R. Worley): +--------------- | I may be naieve, but I would think that between running sh from a | non-root account, and use of chroot(), one would be able to confine | the damage from a dangerous archive to just one part of the directory | tree. Why doesn't this work? +--------------- It *does* work. But assembling a *usable* chroot area is non-trivial: you need to construct copies of /bin, /usr/bin, /etc (for chown/chgrp on Berzerk systems), /usr/ucb (ditto), etc. in your chroot area, and to be absolutely safe they should be copies, not links, of the originals. This wastes space and takes more than a little time, and if you forget to include some utility in /bin you have to go put it in and re-unshar. Add that chroot() requires root permissions. Summary: It works fine if you can swing it, but it's too much of a chore. It's likely to be easier to keep a spare machine around to do your unshar's on. (You always knew there was a reason for System V/286. ;-) ++Brandon -- Brandon S. Allbery, moderator of comp.sources.misc allbery@NCoast.ORG uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu bsa@telotech.uucp 161-7070 (MCI), ALLBERY (Delphi), B.ALLBERY (GEnie), comp-sources-misc@backbone [comp.sources.misc-related mail should go ONLY to comp-sources-misc@] *Third party vote-collection service: send mail to allbery@uunet.uu.net (ONLY)*