Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!brutus.cs.uiuc.edu!wuarchive!texbell!vector!chip
From: chip@vector.Dallas.TX.US (Chip Rosenthal)
Newsgroups: comp.sources.d
Subject: Re: Safer unsharing
Message-ID: <768@vector.Dallas.TX.US>
Date: 16 Oct 89 16:06:13 GMT
References: <15018@bloom-beacon.MIT.EDU> <1989Oct15.010101.27015@NCoast.ORG>
Reply-To: chip@vector.Dallas.TX.US (Chip Rosenthal)
Organization: Dallas Semiconductor
Lines: 34

allbery@ncoast.ORG (Brandon S. Allbery) writes:
>quoted from <15018@bloom-beacon.MIT.EDU> by drw@math.mit.edu (Dale R. Worley):
>+---------------
>| I would think that between running sh from a non-root account, and use of
>| chroot(), one would be able to confine the damage from a dangerous archive
>+---------------
>It *does* work.  But assembling a *usable* chroot area is non-trivial

Under XENIX (and correspondingly SysVish looking things), I've found the
following structure to work most of the time:

    /usr/spool/unshar:
    bin/  dev/  tmp/

    /usr/spool/unshar/bin:
    awk*    cat*    chmod*  cp*     mkdir*  rm*     sed*    sh*     wc*

    /usr/spool/unshar/dev:
    null   tty

    /usr/spool/unshar/tmp:

where I do a chroot("/usr/spool/unshar") and unpack into the (relative) /tmp.

By far, the biggest problem is the archives which insist upon an unpacking
order, not missing executables.  The next (and a distant next) most frequent
complaint is about missing "chown" and "chgrp".  This is intentional.  No
%*#(@ shar archive should have this sort of command in it.

Stamp out complex shar archives.  Small is beeyooteefull.

-- 
Chip Rosenthal / chip@vector.Dallas.TX.US / Dallas Semiconductor / 214-450-5337
Someday the whole country will be one vast "Metroplex" - Zippy's friend Griffy