[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [suse-security] /usr/sbin/compartment fails to chroot for non-root user
> -----Original Message-----
> From: Peter Wiersig [mailto:wiersig-ml@xxxxxxxxxxxxx]
> Sent: 21 January 2004 10:11
> To: suse-security@xxxxxxxx
> Subject: Re: [suse-security] /usr/sbin/compartment fails to chroot for
> non-root user
> Tom Knight wrote:
> > Looking at the file "problem" that strace creates tells me that:
> > <snip>
> > [400e10cd] chroot("/home/update.jail") = -1 EPERM (Operation
> not permitted)
> man 2 chroot:
> #include <unistd.h>
> int chroot(const char *path);
> chroot changes the root directory to that specified in path.
> This directory will be used for path names beginning with /.
> The root directory is inherited by all children of the
> current process.
> Only the super-user may change the root directory.
> > Any ideas on how to solve this?
> Clean programming and suid-binaries.
Okay, obviously you aren't telling me to make chroot suid root,
but what _are_ you telling me?
I'm now trying:
`sudo /usr/bin/chroot /home/update.jail /bin/su -l update`
So my chroot command/shell is `/bin/su -l update`.
My error is now a little more strange, i.e.:
"/bin/su: incorrect password"
Don't tell me I'm typing the incorrect password, I'm not!
* If I try `su update`, then I'm asked for the password, which I type
(correctly), the machine pauses for over a second, then I get the error.
* If I try `sudo /usr/bin/chroot /home/update.jail /bin/su - update` from
the prompt, I'm not asked for the password, I get the error immediately.
The lines in /etc/sudoers read:
localadmin ALL=(ALL) NOPASSWD: ALL
update ALL=(ALL) NOPASSWD: ALL
No, localadmin isn't even in that file normally, I've only added it for
testing - I'm logged in as localadmin when trying to su to update and run
the sudo chroot command.
Obviously, even if this all works, I'll have to leave a copy of su in my
chroot jail. Is this really a good thing?
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here