Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!cuae2!ihnp4!houxm!hropus!jrw
From: jrw@hropus.UUCP (Jim Webb)
Newsgroups: net.unix-wizards
Subject: Re: chroot(2) security
Message-ID: <706@hropus.UUCP>
Date: Fri, 3-Oct-86 13:45:06 EDT
Article-I.D.: hropus.706
Posted: Fri Oct  3 13:45:06 1986
Date-Received: Sat, 4-Oct-86 12:27:22 EDT
References: <158@itcatl.UUCP> <113@nonvon.UUCP> <233@BMS-AT.UUCP>
Organization: Bell Labs, Holmdel, NJ
Lines: 32

> In article <113@nonvon.UUCP>, apn@nonvon.UUCP (apn) writes:
> 
> > 	write a program that changes the root directory to /mnt23/user/test
> > 	and then procedes to exec /bin/login
> 
> 	On our system, login only has execute permission for root.

True here as well, but some sites setuid root login so that people can
say "exec login" to come in as another user w/o problems.  Who nows why
one would want to, though...

> But, one can link in the 'su' command! Even if the /bin directory is
> execute only!

As an aside, if /bin were not readable, no one could use PATH to find anything
in it, not tooo cool, if you ask me...

>                The resulting superuser process could then *modify* the
> su program to allow a special root password after leaving the chroot process.
> (Otherwise, even the root process could not access anything below the new
> root directory.)

It is even easier.  Assume for a moment that /tmp is actually in root instead
of being its on filesystem.  Now, make an etc and bin directory in /tmp.
ln the real /etc/passwd into /tmp/etc/realpasswd and make a /tmp/etc/passwd
with a passwdless root entry.  ln in /bin/su into /tmp/bin/su and copy /bin/sh
there too, although you could link it as well.  Make sure to do the same for
/bin/ed.  (I guess you would need some /dev entries, too.) Now chroot to /tmp
to run su and edit /etc/realpasswd.  When it is written out, you could have
added in a new root entry.
-- 
Jim Webb             "Out of phase--get help"          ...!ihnp4!hropus!jrw