From owner-freebsd-security Mon Sep 9 15:59:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA27571 for security-outgoing; Mon, 9 Sep 1996 15:59:35 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA27563 for ; Mon, 9 Sep 1996 15:59:32 -0700 (PDT) Received: from eel.dataplex.net (eel.dataplex.net [208.2.87.2]) by who.cdrom.com (8.7.5/8.6.11) with SMTP id PAA05306 for ; Mon, 9 Sep 1996 15:59:28 -0700 (PDT) Received: from [208.2.87.4] (cod [208.2.87.4]) by eel.dataplex.net (8.6.11/8.6.9) with SMTP id RAA24885; Mon, 9 Sep 1996 17:57:52 -0500 X-Sender: rkw@shark.dataplex.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 9 Sep 1996 17:57:53 -0500 To: Zach Heilig From: rkw@dataplex.net (Richard Wackerbarth) Subject: Re: Question about chroot Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Thanks everyone for the many replies. >In a previous message, Richard Wackerbarth wrote: >>If that is the case, why wouldn't it be good enough for chroot to be suid >>root and allow any user to execute it? > >>Am I overlooking some security hole? > >Yes. > >This is one reason it is bad to have a world-writable directory on the >same filesystem as the /usr filesystem. Fundamentally, the problem it that certain suid-root programs can 1) be copied and 2) trust the contents of files based solely on their path. In addition, there is no distinction made between "root" in the global environment and "root" in the chrooted environment. As a result, anyone who can "chroot" can trick the system into adopting the chrooted "root" as the global "root". Hence the solution is to either "fix" those routines which are suid-root so that they cannot be make to reference a trojan file (the password file). Otherwise, we have to adopt the present solution of restricting the chroot to "root". And "he" better be very careful in using it.