different wrote:
On 16:21 Sun 14 Jun , 7v5w7go9ub0o wrote:
[... SNIP ...]
Nope.... that's all there is to the wrapper.
gcc runchroot.c -o runchroot chown root runchroot chmod u+s
runchroot
Ouch. Do _not_ set the setuid-bit on runchroot. Otherwise it would be
a piece of cake for the intruder to gain root-privileges:
d...@mallory ~ $ ls -l runchroot -rwsr-xr-x 1 root root 7680 Jun 15
04:37 runchroot d...@mallory ~ $ ./runchroot -u root -d / -- /bin/sh
# id uid=0(root) gid=0(root)
groups=10(wheel),18(audio),27(video),1000(diff), 1007(qemu) # ls -l
/proc/self/root lrwxrwxrwx 1 root root 0 Jun 15 04:45 /proc/self/root
-> /
/ck
Thank you! for posting this!!
TBH, I wondered about this. After updating to 64bit, I compiled
runchroot and forgot to do the setuid-bit - yet everything *appears* to
work fine; i.e. the user is changed to the designated, unprivileged
user; However, I haven't confirmed that the privileges have also been
dropped - they *seem* to have been. So I included the setuid advice
provided in this link: <http://www.gammon.com.au/forum/?id=885>
The source code makes no mention of setuid.
Based on your note, I'll continue with a non-setuid setup. :-)
