Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 7/7/83; site rlgvax.UUCP Path: utzoo!linus!philabs!seismo!rlgvax!guy From: guy@rlgvax.UUCP Newsgroups: net.unix-wizards,net.bugs.v7 Subject: Re: Security - suggested hack using chroot Message-ID: <808@rlgvax.UUCP> Date: Sun, 10-Jul-83 15:12:18 EDT Article-I.D.: rlgvax.808 Posted: Sun Jul 10 15:12:18 1983 Date-Received: Mon, 11-Jul-83 10:38:02 EDT References: <2827@sri-arpa.UUCP> Organization: CCI Office Systems Group, Reston, VA Lines: 67 There is a bug fix to make "chroot" secure under V7 (under vanilla V7, even if you set a processes' root directory to "/usr/guest", "/.." refers to "/usr", and thus you can't use "chroot" to box a user into a restricted environment); the same fix was made in 4.1BSD and System III and later USG UNIX releases. The fix follows, along with another fix to forbid creating files in a directory with a zero link count. This latter fix prevents the creation of "orphan" files with the sequence: mkdir foo cd foo rmdir ../foo >orphan These are the 4.1BSD fixes; the System III fix to the second problem puts the test on the line that reads: if((dp->i_mode&IFMT) != IFDIR) and changes it to: if((dp->i_mode&IFMT) != IFDIR || dp->i_nlink==0) which catches the problem slightly earlier (skipping the search of the directory entirely) and returns the error ENOTDIR instead of ENOENT. *** nami.c.orig Sun Jul 10 15:01:57 1983 --- nami.c Sun Jul 10 15:03:16 1983 *************** *** 99,104 u.u_segflg = 1; eo = 0; bp = NULL; eloop: --- 99,107 ----- u.u_segflg = 1; eo = 0; bp = NULL; + if (dp == u.u_rdir && u.u_dbuf[0] == '.' && + u.u_dbuf[1] == '.' && u.u_dbuf[2] == 0) + goto cloop; eloop: *************** *** 111,117 if(u.u_offset >= dp->i_size) { if(bp != NULL) brelse(bp); ! if(flag==1 && c=='\0') { if(access(dp, IWRITE)) goto out; u.u_pdir = dp; --- 114,120 ----- if(u.u_offset >= dp->i_size) { if(bp != NULL) brelse(bp); ! if(flag==1 && c=='\0' && dp->i_nlink) { if(access(dp, IWRITE)) goto out; u.u_pdir = dp; Guy Harris {seismo,mcnc,we13,brl-bmd,allegra