Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!cs.utexas.edu!uunet!crdgw1!crdos1!davidsen
From: davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr)
Newsgroups: comp.sources.d
Subject: Re: Safer unsharing -- why chroot() *really* doesn't work
Message-ID: <1507@crdos1.crd.ge.COM>
Date: 27 Oct 89 18:02:49 GMT
References: <DRW.89Oct25234218@fibonacci.math.mit.edu> <13053@s.ms.uky.edu>
Reply-To: davidsen@crdos1.UUCP (bill davidsen)
Organization: GE Corp R&D Center
Lines: 21

In article <13053@s.ms.uky.edu>, sean@ms.uky.edu (Sean Casey) writes:

|  You've already lost on step 3, because you made a false assumption about
|  step 1.

  Well, he loses, but not just that way. The scenario assumes that (a)
you allow sleep, and (b) that the user can write the directory.

  The program I use unshars into a protected directory (r/w root only),
and after the unshar it scans the directory for any writable directories
or setuid programs. If the unshar has not created anything evil it uses
the 'p' option of cpio to copy the new stuff back to the users
directory, where it will be owned by the user.

  And yes I have a lockfile to prevent two unshars at once. I'm not
paranoid, I'm *very* paranoid.
-- 
bill davidsen	(davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen)
"The world is filled with fools. They blindly follow their so-called
'reason' in the face of the church and common sense. Any fool can see
that the world is flat!" - anon