Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!columbia!rutgers!caip!pyrnj!mirror!rayssd!dpw
From: dpw@rayssd.UUCP (Darryl P. Wagoner)
Newsgroups: net.unix-wizards
Subject: Re: Re: chroot(2) security
Message-ID: <200@rayssd.UUCP>
Date: Sat, 4-Oct-86 07:44:17 EDT
Article-I.D.: rayssd.200
Posted: Sat Oct  4 07:44:17 1986
Date-Received: Mon, 6-Oct-86 18:38:52 EDT
References: <158@itcatl.UUCP> <113@nonvon.UUCP> <15879@ucbvax.BERKELEY.EDU>
Sender: dpw@rayssd.UUCP (Darryl P. Wagoner @ Raytheon Co., Portsmouth RI)
Organization: Raytheon Co., Portsmouth RI
Lines: 26

> >
> >	copy /etc/passwd to /mt33/user/test/etc/passwd
> >
> >	edit out the passwd for root
> >
> >	write a program that changes the root directory to
> >	/mnt23/user/test
> >	and then procedes to exec /bin/login
> 
> Wait a minute, now it's *my* turn to be missing something here.  *Which*
> /bin/login?  If the root directory is now actually /mnt23/user/test, then
> presumably we would be trying to execute /mnt23/user/test/bin/login, not
> the /bin/login that is setuid root and which is able to log a user in.
> 
> >	run the program and log in as the su.

I think the part that was missed was the link from /bin/login and/or /bin/su
to /mnt23/user/test/bin/login or /mnt23/user/test/bin/su.  This would work
only if /mnt23 was in the same file system as /bin.  The trick is to make
a suid to root program .

-- 
Darryl Wagoner	Raytheon Co.; Portsmouth RI; (401)-847-8000 x4089

best path             {allegra|gatech|mirror|raybed2}  -----\
next best             {linus|ihnp4|cci632} ------------------>!rayssd!dpw