Subject: Re: chroot(2)
To: Brett Lymn <>
From: Todd Vierling <>
List: tech-kern
Date: 10/13/1998 12:54:25
On Tue, 13 Oct 1998, Brett Lymn wrote:

: >How is a user going to manage to install a set-uid or set-gid binary
: >without superuser privileges?  (I suppose he can make this set-uid or
: >set-gid to his own account but I have difficulty seeing how this
: >compromises system security.)
: I suppose it all hinges on how carefully we can control the concept of
: "his own account".  This control is normally vested in files that only
: root has privilege to modify, with a chrooted environment the control
: of those files will be under the control of a user - once those files
: are chrooted their meanings are very different.

I suppose what the original question was trying to be asked can be answered
more simply.

Let's say you hard-link /usr/bin/login to /someroot/login (which a normal
user can do), and hard-link /bin/sh to /someroot/sh.  Then you create a
/someroot/etc/spwd.db that includes the databased version of:


Then think what happens when you chroot and run the login inside the chroot
jail.  Add chmod/chown and you can create a suid sh that can be run from
outside the jail....

: > All the standard methods for breeching root are disabled: su doesn't
: > work, login doesn't work,

Since when are login and su disabled in a chrooted environment withthe
current implementation?

-- Todd Vierling (Personal; Bus.