From owner-freebsd-security  Tue Dec 22 10:18:50 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA26804
          for freebsd-security-outgoing; Tue, 22 Dec 1998 10:18:50 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA26791
          for <freebsd-security@FreeBSD.ORG>; Tue, 22 Dec 1998 10:18:46 -0800 (PST)
          (envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.1/8.9.1) id TAA45375;
	Tue, 22 Dec 1998 19:16:06 +0100 (CET)
	(envelope-from des)
To: Casper <casper@acc.am>
Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject: Re: About chroot
References: <367FCD34.FE3CF78F@acc.am>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 22 Dec 1998 19:16:05 +0100
In-Reply-To: Casper's message of "Tue, 22 Dec 1998 20:47:48 +0400"
Message-ID: <xzppv9ct53u.fsf@flood.ping.uio.no>
Lines: 17
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Casper <casper@acc.am> writes:
> Are there any way to change back to the / , when logged in chroot-ed
> environment?

Break root, create a device node for kmem, open it, edit your process
structure. Or something like that. Won't work unless there are
exploitable suid binaries available, but I'm sure there are other,
subtler ways.

(reminds me of how fun it is, on a Sun box, to use the monitor's Forth
interpreter to edit your shell's process structures and set the
uid/gid to 0 - assuming the sysadmin has forgotten to set a monitor
password, which happens more often than you'd think)

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message