On Sat, Dec 02, 2000 at 08:39:29PM -0500, Daniel Burrows wrote: > > In what way would chroot elevate privileges for a non-root user? > > I'm not sure, but I think that there may be an issue with, eg: > > (a) ln /bin/some-'safe'-suid-program my-evil-chroot/bin > (b) cp my-hacked-libc my-evil-chroot/lib > (c) cp /bin/bash my-evil-chroot/bin > (d) chroot my-evil-chroot some-'safe'-suid-program > (e) the hacked libc causes some-'safe'-suid-program to make > my-evil-chroot/bin/bash suid root > (f) my-evil-chroot/bin/bash my-evil-rootkit > > (I don't really know what the issue is, but this would seem like a logical > concern to me) > that would probably work, but another reason is simply that if chroot() is not privileged then any chrooted daemon/user could easily break out of a chroot jail. iirc this works by opening a directory, say /foo, where /foo is really a chroot at /home/foo, the user can then chroot to /foo/bar, and use the open descriptor on /foo to break out of the chroot entirely. i think i got that partly wrong but thats the basic idea i read somewhere. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpVK9TjJkndf.pgp
Description: PGP signature