Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10 5/3/83; site fortune.UUCP
Path: utzoo!linus!philabs!seismo!hao!hplabs!hpda!fortune!berry
From: berry@fortune.UUCP
Newsgroups: net.unix-wizards
Subject: Re: chroot() - (nf)
Message-ID: <1266@fortune.UUCP>
Date: Fri, 15-Jul-83 04:05:05 EDT
Article-I.D.: fortune.1266
Posted: Fri Jul 15 04:05:05 1983
Date-Received: Sat, 16-Jul-83 04:58:47 EDT
Sender: notes@fortune.UUCP
Organization: Fortune Systems, San Carlos, CA
Lines: 31

#R:sri-arpa:-285600:fortune:11600026:000:613
fortune!berry    Jul 14 20:10:00 1983

-------------------
	Does anyone know why chroot() is protected?
	What harm can be done by a user who restricts himself to
	a part of the file-tree?
-------------------


	What about the following procedure?

	link /bin/login to .../me/bin/login
	link /bin/csh   to .../me/bin/csh
	edit .../my/etc/passwd to contain a root entry with no password
	chroot .../me
	login root
	#

	I now have a root shell.  Granted I can only play in this filesystem
for now, but what is to keep me from creating files setuid root that merely
exec /bin/csh...



	David W. Berry
	amd70!fortune!berry
	cbosgd!...
	harpo!...
	hpda!...