Subject: Re: chroot: why super-user only?
To: None <firstname.lastname@example.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 01/24/2003 14:35:48
>>> Or am I missing another vulnerability?
>> You're missing another vulnerability. [...]
> How is this an issue if we disalow Set-id on non-root chroot()?
> The idea of making chroot usable by non-root has been floated, and
> everone has taken the lack of honoring set-id as a given.
It wasn't clear to me that was part of what you outlined. I must have
missed whatever caused everyone else to assume no set-id.
> What else do we need?
I'm not sure. Perhaps nothing - but I'm not _nearly_ sure enough of
that to bet my systems' security on it.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML email@example.com
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B