Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!cs.utexas.edu!uunet!crdgw1!crdos1!davidsen
From: davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr)
Newsgroups: comp.sources.d
Subject: Re: Safer unsharing -- why chroot() *really* doesn't work
Message-ID: <1491@crdos1.crd.ge.COM>
Date: 26 Oct 89 15:08:43 GMT
References: <DRW.89Oct25234218@fibonacci.math.mit.edu>
Reply-To: davidsen@crdos1.UUCP (bill davidsen)
Organization: GE Corp R&D Center
Lines: 19

In article <DRW.89Oct25234218@fibonacci.math.mit.edu>, drw@fibonacci.math.mit.edu (Dale R. Worley) writes:

|  3. While it's sleeping, in another shell, cd to that fake root
|  directory.  "ln /bin/su ./bin/su" to install su in the fake /bin
|  directory.  Also, "cat ~/xyz ./etc/passwd" to install a fake
|  /etc/passwd file, one whose root password you know.

  In *what* other shell? This is a shar file, right? There is no other
shell to startup, and if you start one shar the shar file it, too, is
running under the chroot. This would barely work if someone was on the
same machine trying to break security (assuming that the chroot was to
an insecure directory). The technique doesn't work from a shar file,
because you can't get out of the chroot to link in all the stuff you
want (mainly su).
-- 
bill davidsen	(davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen)
"The world is filled with fools. They blindly follow their so-called
'reason' in the face of the church and common sense. Any fool can see
that the world is flat!" - anon