Xref: utzoo news.admin:4108 news.sysadmin:1725 comp.mail.uucp:2389 Path: utzoo!utgpu!watmath!clyde!att!rutgers!mailrus!nrl-cmf!ames!vsi1!apple!epimass!jbuck From: jbuck@epimass.EPI.COM (Joe Buck) Newsgroups: news.admin,news.sysadmin,comp.mail.uucp Subject: Re: Dangerous hole in Usenet! Message-ID: <2683@epimass.EPI.COM> Date: 29 Nov 88 20:01:39 GMT References: <1971@van-bc.UUCP> <572@comdesign.CDI.COM> <5517@medusa.cs.purdue.edu> <561@redsox.UUCP> <215@twwells.uucp> <155@ecicrl.UUCP> Reply-To: jbuck@epimass.EPI.COM (Joe Buck) Organization: Entropic Processing, Inc., Cupertino, CA Lines: 26 In article <155@ecicrl.UUCP> clewis@ecicrl.UUCP (Chris Lewis) writes: >Secondly, can someone out there explain why chroot is privileged? Or >why /etc/chroot isn't setuid? It seems pretty darn silly that some >mechanism that can only be used for *reducing* access rights requires >root permission. Picture this: mkdir /tmp/etc /tmp/bin cp /bin/sh /tmp/bin echo "root::0:0:Root:/:/bin/sh" > /tmp/etc/passwd /etc/chroot /tmp su The final command runs the "su" command with a root of /tmp. It uses the dummy password file created by the echo command, which has no password for root. You are now root, and you can do another chroot to gain access to the whole system. This is why chroot is privileged! -- - Joe Buck jbuck@epimass.epi.com, or uunet!epimass.epi.com!jbuck, or jbuck%epimass.epi.com@uunet.uu.net for old Arpa sites