SUMMARY: Why no chroot() unless one's root?

From: Jochen Bern (bern@penthesilea.uni-trier.de)
Date: Thu Sep 26 1996 - 09:03:11 CDT

X-Body-Checksum-Md5: 3608b28843ac2dbfbe099e39d392bdab
Precedence: bulk

I asked:
> I have to execute a Program that
> I don't trust (as per the root Perspective) chroot'ed. chroot can only
> be done (on my 4.1.3_U1B Machines, that is) by root. I assume that there
> is some Security Consideration requiring that
>
> What I'm actually trying to do: Provide a ls Variant that will produce
> Listings exactly like the ones that can be seen from an anon FTP Login,
> thus they need to use the ls Executable, dynamic Libraries, /etc/passwd,
> /etc/group, ..., from ~ftp rather than /, if there are any Differences
> in the first Place.

First off, yes, chroot IS restricted to root because of Security Concerns.
If it were freely available, any User could set up a chroot Environment if
able to write to any Partition containing login, su or somesuch and run it
chrooted, with Accounts and Passwords defined to his Liking. Then chown
root and chmod 4755 a Copy of /bin/sh, drop back out of the chroot and
the System's yours. (Could it even be done *anywhere* the User can write
to? I doubt that. In that Case, having /usr etc. mounted r/o on most of
our Machines would be even more of an Advantage than I thought.)

Second, for the Application I had in Mind (chroot ONLY to ~ftp - if that
User exists at all - and run ONLY /bin/ls there), the only *additional*
Risk is that I leave the Executable dynamically linked, or setuid-root
but world-writable ... which I won't. I hope. :-) Otherwise, the same
Hole could be exploited by anon FTP. (Is there an ftpd with the complete
anon FTP Code removed in the first Place? I don't remember seeing one so
far.)

Thanks to:
blymn@awadi.com.au (Brett Lymn)
ahoerter@netcom.com (Andrew Hoerter)
mike@trdlnk.com (Michael Sullivan)

Regards,
                                                                J. Bern 

-- 
  /\  /""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""\
 /  \/ bern@uni-trier.de    (Size Limit!)   | P.O. Box 1203 | Ham:  \/\
/ J. \ bern@ti.uni-trier.de (SUNAttachm.OK) | D-54202 Trier | DD0KZ /  \
\Bern/ No Finger etc.; Use Mail (Subj. "##" for Autoreply List) and \  /
 \  /\ WWW. /\/
  \/  \____________________________________________________________/

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:10 CDT