Subject: Re: chroot() behaviour? (was Re: tar ignores filenames that contain `..')
To: Greywolf <>
From: Andrew Brown <>
List: tech-security
Date: 10/31/2002 14:05:56
># Actually netbsd chroot seems to have fixed the easy escape,
># can fchroot be used instead:
># 	fd = open("/",..);
># 	chroot(path);
># 	....
># 	fchroot(fd);
>I just had a thought.  Presumably, the reason for not permitting chroot()
>is that one could potentially hard link something like login or su into
>their tree, provide their own password databases and gain root access via
>a shell.  At least that was the rationale explained to me for not allowing
>chroot() by normal users.

that's exactly it.  it's trivial to do, too, and requires about three
minutes of thought.  and a properly writable filesystem.

>What if chroot() were to create/cause exec semantics such that, if not
>called by a super-user, setuid/setgid would be ignored?

that would be...almost pointless, no?  i mean, if the binary weren't
setuid *at all*, then root could still switch to the appropriate

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."