Xref: utzoo news.admin:4214 news.sysadmin:1869 comp.mail.uucp:2484
Path: utzoo!utgpu!watmath!clyde!bellcore!rutgers!mailrus!purdue!decwrl!labrea!csli!gandalf
From: gandalf@csli.STANFORD.EDU (Juergen Wagner)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: chroot (was: Re: Dangerous hole in Usenet!
Message-ID: <6714@csli.STANFORD.EDU>
Date: 7 Dec 88 21:11:18 GMT
References: <1971@van-bc.UUCP> <572@comdesign.CDI.COM> <5517@medusa.cs.purdue.edu> <561@redsox.UUCP> <215@twwells.uucp> <155@ecicrl.UUCP> <1988Nov29.181037.23528@utzoo.uucp> <157@ecicrl.UUCP>
Reply-To: gandalf@csli.stanford.edu (Juergen Wagner)
Organization: Center for the Study of Language and Information, Stanford U.
Lines: 27

[Sorry, my rn gives me an internal error when I try to followup.]

I thought, this had been chewed on for long enough, ...

Michael Gersten (michael@maui.cs.ucla.edu) writes:
>...
> Lets say I put a dummy passwd in mydir/etc.
> And I do a "exec chroot mydir login".
> I then login as root.
> BUT: I'm in mydir, and I can't get out.

Right! You can't. But how about copying /bin/sh to your
directory, then doing the chroot stuff you describe,
and finally typing something like
	chown root sh
	chmod 4755 sh
Now type "exit" to this shell, and you're back to the
login prompt. At your next login (and here chroot is
*NO LONGER* active), you will find a setuid root file
called sh in that mydir, giving you a root shell with
access to the *ENTIRE* file system!

'nuff said.

-- 
Juergen Wagner		   			gandalf@csli.stanford.edu
						 wagner@arisia.xerox.com