Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!gatech!cuae2!ltuxa!cuuxb!mwm
From: mwm@cuuxb.UUCP (Marc W. Mengel)
Newsgroups: net.unix-wizards
Subject: Re: chroot(2) security
Message-ID: <845@cuuxb.UUCP>
Date: Sun, 5-Oct-86 22:07:13 EDT
Article-I.D.: cuuxb.845
Posted: Sun Oct  5 22:07:13 1986
Date-Received: Wed, 8-Oct-86 00:19:56 EDT
References: <158@itcatl.UUCP> <113@nonvon.UUCP> <233@BMS-AT.UUCP> <1669@bucsd.bu-cs.BU.EDU>
Reply-To: mwm@cuuxb.UUCP (Marc W. Mengel)
Followup-To: /dev/null
Organization: AT&T-IS, Software Support, Lisle IL
Lines: 24
Keywords: setuid, su,chroot, security
Summary: su is NOT the only problem...

>In article <113@nonvon.UUCP>, apn@nonvon.UUCP (apn) writes:
>
>I believe that 'su' is the only problem.  Take away 'su' and you can give
>them 'chroot'.  ('newgrp' is similar but not as bad.)

Actually, you need to get rid of almost *every* setuid program on the
system; at least any one that exec's another program via an absolute
path name.  Let's say (hypothetically) that ps had a -s option that
sorted its listing by uid, and that to do that, it wrote its usual
output in /tmp, and ran sort on it.  Now create a new root, with a
/bin/sort that actually gives you a shell, rather than sorting a file.
Now you do a ps -s and get a shell.  Get the idea?  the holes are many,
and well hidden.

I'm not even sure that ones that don't exec another program are safe, that's
just the few I can think of.  Setuid programs are the classic place to find
security problems;  they are only as secure as their own logic, which often
assumes (and rightfully so) that "/" is the real filesystem root.  Giving
normal users chroot will make this assumption invalid, and you will probably
find security problems coming out of the woodwork for years to come if you
allow chroots with out careful thought.
-- 
 Marc Mengel
 ...!ihnp4!cuuxb!mwm