Xref: utzoo alt.bbs:3026 comp.unix.sysv386:689
Path: utzoo!utgpu!cs.utexas.edu!mailrus!iuvax!maytag!looking!brad
From: brad@looking.on.ca (Brad Templeton)
Newsgroups: alt.bbs,comp.unix.sysv386
Subject: Re: Protecting against downloads
Message-ID: <1990Sep24.202309.13200@looking.on.ca>
Date: 24 Sep 90 20:23:09 GMT
References: <2441@sud509.ed.ray.com> <1990S <1990Sep20.153105.28394@naitc.naitc.com> <1990Sep22.024446.3305@chinet.chi.il.us> <1990Sep24.153529.8627@naitc.naitc.com>
Organization: Looking Glass Software Ltd.
Lines: 29

If a user gets superuser access while under chroot, you have lost system
security.  Don't go under the illusion that just your linked files are
at risk.

Any user with root access can (with or without linker or C compiler
access -- all they need is upload access) issue the 'mknod' system call.

With mknod you can create raw hard disk devices with write perms.  And
get access to all the hard disks.   Including the main system password
file, etc.   One can also create a memory device, and (if really clever)
'undo' the chroot call, to be full superuser.

Complete system takeover.

chroot security is good, but it depends on the user never getting to be root.

This means that:

a) (fakeroot)/etc and files under it have proper, safe permissions.  Double
that by simply not allowing programs that do things there, including passwd
and chfn etc.   This restricts the users a bit, of course.

b) Never, never go into the secure subsystem and run programs left there
by users while you are root, or any trusted user not chrooted.

c) No system program that is root or another trusted user should execute
a program from the subsystem.
-- 
Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473