On Tue, 25 Jul 2000, Roman Drahtmueller wrote:
hm, the guy, who wrotes that patch seems not very familiar with chroot()ed environments. he misses the chdir() after the chroot(), which makes the chroot jail unsecure. to be on the safe track initgroups() should be
Just a brief note, since people often tend to consider chroot() a security feature of the kernel:
As long as a process inside a chroot()ed environment is capable of doing chroot(2), the process will be able to break out. Executing chdir(2) after chroot(2) doesn't really remedy this illness.
if the process could chroot(), it has root privileges. with the power of root you have 1001 ways to break chroot. it's also possible to break chroot without root.
Try this: chroot(1) as root and then execute the little q+d hack underneath my sig to break out. You might want to link it statically if you don't have the necessary libraries around.
AFAIK this bug does not work on all Unix derivates. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47