Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ukma!sean
From: sean@ms.uky.edu (Sean Casey)
Newsgroups: comp.sources.d
Subject: Re: Safer unsharing -- why chroot() *really* doesn't work
Message-ID: <13053@s.ms.uky.edu>
Date: 26 Oct 89 13:12:56 GMT
References: <DRW.89Oct25234218@fibonacci.math.mit.edu>
Organization: The Leaning Tower of Patterson Office @ The Univ. of KY
Lines: 24

drw@fibonacci.math.mit.edu (Dale R. Worley) writes:

|1. Invoke whatever setuid root thingy establishes the directory that
|it will chroot into.

|2. Have your shar script sleep a good long while at the beginning.

|3. While it's sleeping, in another shell, cd to that fake root
|directory.  "ln /bin/su ./bin/su" to install su in the fake /bin
|directory.  Also, "cat ~/xyz ./etc/passwd" to install a fake
|/etc/passwd file, one whose root password you know.

You've already lost on step 3, because you made a false assumption about
step 1.

Step 1 would do the chroot *before* any lines of the shell archive get
executed. The ln /bin/su ./bin/su would fail because after the chroot
there is no /bin/su to be found.

Sean
-- 
***  Sean Casey          sean@ms.uky.edu, sean@ukma.bitnet, ukma!sean
***  Copyright 1989 by Sean Casey. Only non-profit redistribution permitted.
***  ``So if you weight long enough, you'll get your packets, right?''